LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-02-2009, 01:54 PM   #1
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,230

Rep: Reputation: 132Reputation: 132
setup transparent proxy


I am trying to setup linux bridge/transparent squid proxy with iptables and ebtables, when i am adding proxy configuration in web brower i can able to access internet
But without proxy configuration in web browers, i use linux bridge ip as my gateway i unable to access internet.

my network diagram
internet<----->(eth0)linuxbridge/squid(eth1)<----->my network

to port redirect i used following chains
In iptables
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT

-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.3:3128
-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
In ebtables
ebtables -t broute -A BROUTING -p IPv4 –-ip-protocol 6 -–ip-destination-port 80 -j redirect –-redirect-target ACCEPT

I googled lot of sites but i unable to find right solution for this( i aware that i am making mistakes in this port redirecting, if it is true please correct me)
will you please give me an idea to correct my mistakes??
 
Old 02-02-2009, 10:16 PM   #2
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,759

Rep: Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612
Quote:
Originally Posted by kirukan View Post
I am trying to setup linux bridge/transparent squid proxy with iptables and ebtables, when i am adding proxy configuration in web brower i can able to access internet
But without proxy configuration in web browers, i use linux bridge ip as my gateway i unable to access internet.

my network diagram
internet<----->(eth0)linuxbridge/squid(eth1)<----->my network

to port redirect i used following chains
In iptables
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT

-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.3:3128
-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
In ebtables
ebtables -t broute -A BROUTING -p IPv4 –-ip-protocol 6 -–ip-destination-port 80 -j redirect –-redirect-target ACCEPT

I googled lot of sites but i unable to find right solution for this( i aware that i am making mistakes in this port redirecting, if it is true please correct me)
will you please give me an idea to correct my mistakes??
Based on your post, it seems like you're a bit unclear on the concept of a 'transparent proxy'.

You say if you enable the proxy, you can "able access internet", and when you don't, you can't.

Yes, that's exactly right. If you have a proxy server in place, and don't use it, you SHOULDN'T be able to get to the internet.
 
Old 02-03-2009, 07:43 AM   #3
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,230

Original Poster
Rep: Reputation: 132Reputation: 132
i think you misunderstood my post(i dont know whether my post is unclear), if we want to access internet through proxy we should add (ip address,portno)in the web browser. But when we setup transparent proxy we can access internet without clinet side configuration(i mean no need to add ip address, portno in web browser).
 
Old 02-03-2009, 12:08 PM   #4
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,759

Rep: Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612
Quote:
Originally Posted by kirukan View Post
i think you misunderstood my post(i dont know whether my post is unclear), if we want to access internet through proxy we should add (ip address,portno)in the web browser. But when we setup transparent proxy we can access internet without clinet side configuration(i mean no need to add ip address, portno in web browser).
You have to do SOMETHING to tell clients to use a proxy server. You can set things up to push the proxy variables down when users log into the network, but "transparent proxy" means that the users don't have to log in or do anything to get access.
 
Old 02-03-2009, 01:34 PM   #5
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,230

Original Poster
Rep: Reputation: 132Reputation: 132
Hi;
I want to make my question clear one more time.
The problem.
I setup the transparent proxy/Linux bridge, iptable & ebtable in the server i could not get the internet access without setting up the proxy configuration in my client pc web browser.

The solution i need.
i dont want to setup web browser proxy configuration every user. and instead of that i want to set the iptable & ebtable of the server which suppose to redirect all the client side request come from port 80 to port 3128 since server is listening through port 3128

The method i used
to redirect the port i used the following chain
In ip table
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT

-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.3:3128
-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

In ebtables
ebtables -t broute -A BROUTING -p IPv4 –-ip-protocol 6 -–ip-destination-port 80 -j redirect –-redirect-target ACCEPT

but still i could not access the internet without setting up the proxy configuration in my client pc web browser
please advice me and give me the right solution to do it.
Thank you.
 
Old 02-03-2009, 06:51 PM   #6
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,759

Rep: Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612
Quote:
Originally Posted by kirukan View Post
Hi;
I want to make my question clear one more time.
The problem.
I setup the transparent proxy/Linux bridge, iptable & ebtable in the server i could not get the internet access without setting up the proxy configuration in my client pc web browser.

The solution i need.
i dont want to setup web browser proxy configuration every user. and instead of that i want to set the iptable & ebtable of the server which suppose to redirect all the client side request come from port 80 to port 3128 since server is listening through port 3128

The method i used
to redirect the port i used the following chain
In ip table
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT

-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.3:3128
-A RH-Redirect-0-50-PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

In ebtables
ebtables -t broute -A BROUTING -p IPv4 –-ip-protocol 6 -–ip-destination-port 80 -j redirect –-redirect-target ACCEPT

but still i could not access the internet without setting up the proxy configuration in my client pc web browser
please advice me and give me the right solution to do it.
Thank you.
And I want to make my answer clear one more time: IF YOU HAVE A PROXY SERVER, YOU WILL HAVE TO SET UP YOUR CLIENTS SOMEHOW.

Either you will have to use a zeroconf type thing to push the proxy configuration to your clients, or you will have to have a system login script set the things up for you. You have to do SOMETHING to get the proxy configuration to the client. Doing a simple redirect with iptables won't work, unless you want to setup so many ports, and be ready to set up more for any non-standard websites/connections, you'll spend all day doing nothing but that, and still have flaky problems.

Also, do not issue demands, such as "give me the right solution to do it". You're not paying attention to the answer...if you don't like the answer you get here, hire someone to do it for you.
 
Old 02-03-2009, 07:08 PM   #7
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
Have a look at the Squid FAQ for some information on interception caching (transparent proxying) that may be useful.

If you only need to proxy http (not gopher, ssl, ftp etc.) then you can set up iptables rules and compile Squid to allow this. You won't have to configure clients if this is all you require. I have the following in my iptables rules on one of my boxes:
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80:81 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080  -j REDIRECT --to-port 3128
However, there are limitations (see the link above). As TB0ne pointed out, you will need to manually configure proxy details for the non-supported protocols and you can't use proxy authentication.
 
Old 02-12-2009, 05:46 AM   #8
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 49
Gilead cant be more clear. What you are trying to do is achievable (unlike what TBone is saying) Just sort out your iptables rules properly.
In your case, since your proxy server is also the bridge to the internet, there is nothing more needed. No configs on the clients needed anyhow(true) But however, this setup will not work when accessing HTTPS and FTP sites. Otherwise if you don't really care about these, then go ahead and tweak you iptables (check http://wiki.squid-cache.org/SquidFaq/InterceptionProxy)

Good luck

Last edited by chitambira; 02-13-2009 at 04:13 AM.
 
Old 02-12-2009, 11:07 AM   #9
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,759

Rep: Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612
Quote:
Originally Posted by chitambira View Post
Gilead cant be more clear. What you are trying to do is achievable (unlike what TBone is saying) Just sort out your iptables rules properly.
Good luck
No, what I'm saying is if they want to use a PROXY server, you've got to tell the clients to use it, somehow. What am I saying that's NOT achievable?? And Gilead hits it on the head...to use this as a full proxy for all protocols, you have to configure the clients.
 
Old 02-14-2009, 01:33 PM   #10
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,230

Original Poster
Rep: Reputation: 132Reputation: 132
setup transparent proxy

First of all i would like to thank all who gave idea about transparent proxy. please execuse me if i had mislead you in this regarding.

Actually my expectation is that i have to have a middle man(transparent server) who is handling all the traffic through him but without users knowledge (I think i didnt give clear idea about my scenario earlier) anyhow i solved my problem by using transparent squid proxy & iptables. Now all protocols (net traffic) going through my transparent server.
I agree that if i setup transparnet proxy it can handle only http traffic so what i did was that i bypass all other protocols which are not hanlded by transparent proxy.

I used the following iptable rules
Redirct all http traffic to proxy
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

To handle https
iptables -t nat -A POSTROUTING -p tcp --dport 443 -j SNAT --to xx.xx.xx.xx (tranparent server ip address)

please advise me if there is any security vulnerabilities or performances issuses cause to this setup
 
Old 02-15-2009, 06:51 PM   #11
yzhong
Member
 
Registered: Jun 2007
Location: sydney
Distribution: redhat , ubuntu, centos
Posts: 56

Rep: Reputation: 16
That should be you're after:
http://www.karlrupp.net/en/computer/nat_tutorial

Normally use -j DNAT, but -j REDIRECT seems not much difference.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
transparent proxy in FC 6 lqchangba Linux - Server 1 05-28-2007 08:38 PM
FC4 - How to setup Transparent Proxy with Dansguardian RTX Networks Linux - Networking 1 09-12-2006 12:49 AM
LXer: Linux Setup a transparent proxy with Squid in three easy steps LXer Syndicated Linux News 0 05-27-2006 02:33 PM
transparent proxy mattsthe2 Linux - Networking 9 10-26-2005 08:44 AM
Transparent Proxy ilnli Linux - Networking 3 10-18-2004 06:01 PM


All times are GMT -5. The time now is 06:27 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration