Re: [Fwbuilder-discussion] Fwbuilder, NAT, transparent proxy : what's wrong ?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi , Vadim

thank you for the advice. This pushed me on an other way and I found 
that Fwbuilder wasn't responsible for all this.(I learned a lot last 
week...)

As some persons on the list shown interest in the answer, I summarize:

-Iptables does the NAT perfectly in that case.
-the browser (mozilla) changes the URL sent , depending on the proxy 
configuration you choose.

1)If you use a proxy, it sends ( for example):

GET http://www.google.fr
host: www.google.fr

2)If you use a direct connexion to the internet, the browser sends:

GET /
host:www.google.fr

This was confusing my transparent proxy (transproxy) . I'm still working 
on this.

By the way, if I use only squid (with the transparent mode enabled), 
this works perfectly (see below) provided ACL as correct :

Client(mozilla+direct connection to internet) ==> firewall (fwbuilder 
+DNAT on http) ==> cache (squid) ==> internet.

I'll try to have this working with transproxy +privoxy + squid

PA Angelini
Ifsic.University of Rennes 1.

Vadim Kurland wrote:
> 
> the rule seems to be correct. The iptables firewall does not make any 
> changes to the packet payload, so the URL your browser tried to access 
> could not have been changed. You can make sure this is so by running 
> tcpdump on the proxy machine with flags "-s1500 -wlog" and then 
> inspecting packets it collects in the file "log" (use "strings log"). 
> You should see the URL your borwser sends to the server via proxy.
> 
> It is hard to say why your proxy makes this record in the log, are you 
> sure it is configured properly to run in the transparent proxy mode ? 
> For example, squid needs to be configured in a certain way: 
> http://www.squid-cache.org/Doc/FAQ/FAQ-17.html
> 
> --vk
> 
> 
> 
> On Thursday, January 23, 2003, at 06:48  AM, Pierre-Antoine Angelini wrote:
> 
>> case 2:
>>
>> I select "direct internet connexion" in mozilla preferences and let my 
>> firewall through a DNAT rule set the path to ProxyServer
>>
>> rule is:
>>
>> -- [root@erebus root]# iptables -t nat -L -n
>> Chain PREROUTING (policy ACCEPT)
>> target     prot opt source               destination
>> ntmp000    tcp  --  148.60.10.9          0.0.0.0/0          multiport 
>> dports 80,81,8080,8083,443,8000
>>
>> Chain POSTROUTING (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain ntmp000 (1 references)
>> target     prot opt source               destination
>> RETURN     all  --  0.0.0.0/0            148.60.0.0/20
>> DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0          multiport 
>> dports 80,81,8080,8083,443,8000 to:148.60.8.4:8081
>>
>> This doesn't work.
>>
>> Transproxy receive right URL, but with wrong port.
>>
>> Log shows " Request_NoDNS http://www.google.com:8081" <= obviously 
>> tproxy listening port.
>>
>> I'm stuck, i don't understand why firewall sends such requests.
>>
> 

-- 
PAA
PA Angelini (PAA)
Administrateur Reseau IFSIC (ang...@ir...)
Tel : 02 99 84 71 00