--On Saturday, November 23, 2002 09:23:39 AM -0800 [EMAIL PROTECTED] wrote:
Remote Proxying as described in that howto works badly in my opinion because of the requirement to use SNAT. This makes your firewall's IP address the source for all access to the Proxy. Here's an example from a Squid access log:Since I am very new to iptables and shorewall in general, I need some help implementing transparent remote http proxy with iptables. I found the following document which describes what I need to do with iptables to get this running, but how do I integrate this into shorewall gracefully? My experience is with ipchains and a single shell script rule set.My setup is: Running Bering 1.0-Stable Compaq 486 laptop 16MB compact flash via hda1 eth0 - external Internet interface for DSL & PPPoE wlan0 - wireless internal LAN (masq->10.10.10.0/24) Background: Ultimately, this setup will be used to provide wireless Internet access. The patrons will be transparently redirected to a website (via squid redirect) to either sign-up or login before they can transfer any data other than to the squid proxy server which will always keep them on the login web server. Once they login, the iptables redirect rule will be removed for their IP/MAC to allow them to surf and have fun. http://www.linuxvoodoo.com/howto/HOWTO/TransparentProxy/TransparentPro xy- 6.htm
1038073816.173 863 192.168.2.1 TCP_MISS/200 31745 GET http://www.microsoft.com/ - DIRECT/207.46.249.27 text/html
1038073816.281 106 192.168.2.1 TCP_MISS/200 1265 GET http://www.microsoft.com/library/include/ctredir.js - DIRECT/207.46.249.27 application/x-javascript
1038073816.318 728 192.168.2.1 TCP_MISS/404 2944 GET http://www.microsoft.com/favicon.ico - DIRECT/207.46.230.218 text/html
1038073816.591 180 192.168.2.1 TCP_MISS/200 3137 GET http://www.microsoft.com/homepage/gif/bnr-microsoft.gif - DIRECT/207.46.249.27 image/gif
1038073816.603 175 192.168.2.1 TCP_MISS/200 546 GET http://www.microsoft.com/library/toolbar/images/curve.gif - DIRECT/207.46.134.190 image/gif
1038073816.660 67 192.168.2.1 TCP_MISS/200 450 GET http://www.microsoft.com/homepage/gif/1ptrans.gif - DIRECT/207.46.249.27 image/gif
1038073816.803 142 192.168.2.1 TCP_MISS/200 456 GET http://www.microsoft.com/homepage/gif/bulletK.gif - DIRECT/207.46.249.27 image/gif
1038073817.383 780 192.168.2.1 TCP_MISS/200 29571 GET http://www.microsoft.com/library/homepage/images/ts_021024msn8.jpg - DIRECT/207.46.134.190 image/jpeg
The browser was actually running on 192.168.1.3 but as you can see from the Squid Log, the source address it saw was 192.168.2.1 (the IP address of the firewall interface closest to the Proxy Server).
If that doesn't bother you, the proper Shorewall rule is:
DNAT z1 z2:<proxy ip>:3128 tcp 80 - \
<firewall ip closest to browsers>:<firewall ip closest to proxy>
There is a different way to do this based on policy routing; that technique is described in the Linux Advanced Routing and Traffic Control Howto -- there's a link from the "Useful Links" page on the Shorewall web site.
To use that technique with Shorewall, you must enable traffic control (TC_ENABLED=Yes in shorewall.conf) and add an entry in /etc/shorewall/tcrules to mark the traffic that you want to redirect to the proxy.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://shorewall.sf.net
ICQ: #60745924 \ [EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
