Re: [Bridge] transparent proxy to a remote squid box and bridge

Sun, 25 Nov 2001 05:22:12 -0800 

Hi,

One thing you can try is to SNAT not to the squid-box, but to an IP address
outside your network (say, 1.2.3.4).  This way, the squid box's replies will
go through the firewall, and not directly back to the client.  The firewall
should be smart enough to do the reverse substitution.

I'm not really sure whether it would work then, though.  For one, the
firewall needs to send ARP packets to find out the ethernet address of the
squid box, and in order to do that, I think it will need an IP address itself
(not sure).  If you haven't assigned an IP address to the firewall because
of security concerns, something like:

        iptables -A INPUT -j DROP
        iptables -A OUTPUT -j DROP

should work fine.


cheers,
Lennert


On Sun, Nov 25, 2001 at 12:43:43PM +0200, [EMAIL PROTECTED] wrote:

> 
>   Hello ,
> 
>  I am using 2.4.14 with bridge-nf-0.0.3 acting as a transparent firewall
> between my network and our upstream . I have setup inside my local network
> a box with squid setup in transparent proxy mode . However I havent been
> able to figure out the appropriate iptables rules needed in the bridge box
> . The transparent proxy minihowto seems to assume that the iptables box
> has an ip address , which is not the case in my setup . I have 2 nics
> doing bridging & firewalling and thats all .
> 
> 
> the minihowto proposes the following commands
> 
>   iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport
>      80 -j DNAT --to squid-box:3128
> 
>     iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-
>      box -j SNAT --to iptables-box
> 
>     iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0
>      -p tcp --dport 3128 -j ACCEPT
> 
> 
> substituting eth0 with the name of the bridge interface forwards the
> packets to the squid box  . However without the appropriate POSTROUTING
> command the squid box tries to communicate directly with the client ,
> which of  course responds to it with RST packets since it expected
> response from the site it tried to browse .
> 
>  If i understand correctly the howtos concept it to make the requests look
> like they originate from the firewall and then forward them to the squid .
> Is there anything we can do if the firewall is to be transparent to all ,
> even to the squid box ?
> 
>   Kind regards
> 
> 
> Dimitris
> 
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge

Reply via email to