LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-19-2006, 04:03 AM   #1
Elijah
Member
 
Registered: Feb 2003
Location: Philippines
Distribution: Debian, Mandrake, Redhat
Posts: 90

Rep: Reputation: 15
Redirecting request to port 443 to directly access the internet


Hi,

It seems that implementing transparent squid proxy will cause https & ssl to not work well on browsers ...

I'd like to be able to redirect all other requests like https/ssl(port 443) or email client's ports to directly access the internet instead of going through our proxy server.

Here's a little diagram of our network:
http://static.flickr.com/49/149174815_48fa51f1a3_o.png

What I did so far is:
1. Block out all connection request from our router settings except for our proxy server (adminserver ) only, this will force our users to use the proxy settings for their other applications.
2. Set all client's pc's to use the gateway 'adminserver'.
3. Setup transparent proxy for squid. For http requests.

Everything else is working fine so far, except that opening up ssl-enabled sites (mail.yahoo.com) creates a timeout error and email clients seems to not work even with proxy settings enabled.

What I need is some sort of iptable rule to grab all port 443 connections and make it connect directly to the internet ... I used webmin to formulate a rule but that didn't work (I have little knowledge of iptables as of the moment) ... so I thought of asking for help here, anyone?

Here's my current rule:
-A PREROUTING -p tcp -m tcp -i eth0 --dport 443 -j DNAT --to-destination 192.168.100.3

Last edited by Elijah; 05-19-2006 at 04:07 AM.
 
Old 05-19-2006, 04:28 AM   #2
gundam00
LQ Newbie
 
Registered: Nov 2005
Posts: 9

Rep: Reputation: 0
If you block all access from your router, except for proxy server, and all your PCs are set up to use your proxy server you don't need any transparent proxy: the proxy server is able to manage https requests.

Using transparent proxy to redirect https trafic is not the right thing: https direct requests are quite different from https proxy requests.
 
Old 05-19-2006, 04:42 AM   #3
Elijah
Member
 
Registered: Feb 2003
Location: Philippines
Distribution: Debian, Mandrake, Redhat
Posts: 90

Original Poster
Rep: Reputation: 15
The reason for it is that there are quite a few pc's to setup proxy settings for. I didn't want to bother our users as often ;-)

Quote:
Using transparent proxy to redirect https trafic is not the right thing: https direct requests are quite different from https proxy requests.
I actually don't plan to proxy any https request, just forward it to a direct connection instead... only http will be proxy-ed, will that be a problem?
 
Old 05-19-2006, 04:45 AM   #4
gundam00
LQ Newbie
 
Registered: Nov 2005
Posts: 9

Rep: Reputation: 0
It won't be a problem:
- remove the DNAT rule for https protocol
- open ports on your router
 
Old 05-19-2006, 05:00 AM   #5
Elijah
Member
 
Registered: Feb 2003
Location: Philippines
Distribution: Debian, Mandrake, Redhat
Posts: 90

Original Poster
Rep: Reputation: 15
Ok, removed dnat:
-A PREROUTING -p tcp -m tcp -i eth0 --dport 443 -j ACCEPT

Didn't work :-( , edit: we only have a dsl router so I guess all ports are open ...

Last edited by Elijah; 05-19-2006 at 05:13 AM.
 
Old 05-19-2006, 05:07 AM   #6
gundam00
LQ Newbie
 
Registered: Nov 2005
Posts: 9

Rep: Reputation: 0
Quote:
Originally Posted by Elijah
Ok, removed dnat:
-A PREROUTING -p tcp -m tcp -i eth0 --dport 443 -j ACCEPT
This should be a FORWARD rule instead of a PREROUTING rule.
 
Old 05-19-2006, 05:38 AM   #7
Elijah
Member
 
Registered: Feb 2003
Location: Philippines
Distribution: Debian, Mandrake, Redhat
Posts: 90

Original Poster
Rep: Reputation: 15
Can't seem to get a connection...

Tried in all filter, mangle & nat tables

# https / ssl direct connection
-A FORWARD -p tcp -m tcp -i eth0 --dport 443 -j ACCEPT

Last edited by Elijah; 05-19-2006 at 06:05 AM.
 
Old 05-19-2006, 08:16 AM   #8
gundam00
LQ Newbie
 
Registered: Nov 2005
Posts: 9

Rep: Reputation: 0
I was looking at your net diagram...

If your workstations use the router as default gateway, the forwarding rules of the Adminserver are useless for your LAN trafic... so the problem is in your router ACLs.
 
Old 05-20-2006, 09:07 PM   #9
Elijah
Member
 
Registered: Feb 2003
Location: Philippines
Distribution: Debian, Mandrake, Redhat
Posts: 90

Original Poster
Rep: Reputation: 15
hmm.. not really, our dhcp setup is currently pointing to squid server (adminserver) as the default gateway instead of the router. I can see that it's working because transparent proxying is working well =) except for https that is...
 
Old 05-23-2006, 01:00 AM   #10
Elijah
Member
 
Registered: Feb 2003
Location: Philippines
Distribution: Debian, Mandrake, Redhat
Posts: 90

Original Poster
Rep: Reputation: 15
Nevermind, solved it. Setted up a new iptable rule :

-A POSTROUTING -p tcp -m tcp --dport 443 -j SNAT --to 192.168.100.2

Thanks for the help though.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache Port 443 Verbal Kint Linux - Software 0 10-04-2005 03:07 AM
can we access port 443 without root permission prasad_koukuntla Linux - Security 2 07-31-2005 05:52 PM
access using port 443 gtoerner Linux - Security 3 07-14-2005 05:48 PM
turn off http port 80, keep https port 443 lothario Linux - Networking 6 02-11-2005 04:06 AM
Allow this particular web page access on port 443 ONLY lothario Linux - Software 2 01-14-2005 10:14 PM


All times are GMT -5. The time now is 12:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration