Re: [Fwbuilder-discussion] Fwbuilder, NAT, transparent proxy : what's wrong ?
Brought to you by:
mikehorn
From: Pierre-Antoine A. <ang...@if...> - 2003-01-28 16:15:44
|
Hi , Vadim thank you for the advice. This pushed me on an other way and I found that Fwbuilder wasn't responsible for all this.(I learned a lot last week...) As some persons on the list shown interest in the answer, I summarize: -Iptables does the NAT perfectly in that case. -the browser (mozilla) changes the URL sent , depending on the proxy configuration you choose. 1)If you use a proxy, it sends ( for example): GET http://www.google.fr host: www.google.fr 2)If you use a direct connexion to the internet, the browser sends: GET / host:www.google.fr This was confusing my transparent proxy (transproxy) . I'm still working on this. By the way, if I use only squid (with the transparent mode enabled), this works perfectly (see below) provided ACL as correct : Client(mozilla+direct connection to internet) ==> firewall (fwbuilder +DNAT on http) ==> cache (squid) ==> internet. I'll try to have this working with transproxy +privoxy + squid PA Angelini Ifsic.University of Rennes 1. Vadim Kurland wrote: > > the rule seems to be correct. The iptables firewall does not make any > changes to the packet payload, so the URL your browser tried to access > could not have been changed. You can make sure this is so by running > tcpdump on the proxy machine with flags "-s1500 -wlog" and then > inspecting packets it collects in the file "log" (use "strings log"). > You should see the URL your borwser sends to the server via proxy. > > It is hard to say why your proxy makes this record in the log, are you > sure it is configured properly to run in the transparent proxy mode ? > For example, squid needs to be configured in a certain way: > http://www.squid-cache.org/Doc/FAQ/FAQ-17.html > > --vk > > > > On Thursday, January 23, 2003, at 06:48 AM, Pierre-Antoine Angelini wrote: > >> case 2: >> >> I select "direct internet connexion" in mozilla preferences and let my >> firewall through a DNAT rule set the path to ProxyServer >> >> rule is: >> >> -- [root@erebus root]# iptables -t nat -L -n >> Chain PREROUTING (policy ACCEPT) >> target prot opt source destination >> ntmp000 tcp -- 148.60.10.9 0.0.0.0/0 multiport >> dports 80,81,8080,8083,443,8000 >> >> Chain POSTROUTING (policy ACCEPT) >> target prot opt source destination >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain ntmp000 (1 references) >> target prot opt source destination >> RETURN all -- 0.0.0.0/0 148.60.0.0/20 >> DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport >> dports 80,81,8080,8083,443,8000 to:148.60.8.4:8081 >> >> This doesn't work. >> >> Transproxy receive right URL, but with wrong port. >> >> Log shows " Request_NoDNS http://www.google.com:8081" <= obviously >> tproxy listening port. >> >> I'm stuck, i don't understand why firewall sends such requests. >> > -- PAA PA Angelini (PAA) Administrateur Reseau IFSIC (ang...@ir...) Tel : 02 99 84 71 00 |