Solved

transparent proxying

Posted on 1998-06-10
19
315 Views
Last Modified: 2013-12-15
I want to setup transparent proxying.  I assume ipfwadm is the easiest way to do this ?

do I need any specific options enabled in the kernel ?  Do I have to use a developmental kernal?  at present I use 2.0.34

basically all outgoing requests on port 80 I want redirected to LOCAL port 8080
0
Comment
Question by:Q010797
  • 9
  • 5
  • 2
  • +2
19 Comments
 
LVL 1

Author Comment

by:Q010797
ID: 1627702
ipfwadm -I -i deny -P tcp -S 203.103.236.0/24 -D 0.0.0.0/0 80 -r 8080

is the command I am currently using . .

ipfwadm: setsockopt failed: Invalid argument

is the response I am currently getting :)

Andrew
q@qonline.com.au
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1627703
port redirection only accepts  "accept" policy, not deny. That's the error you are getting. And if you want to redirect all your web traffic through your proxy server, you can't do it that easy: remember a proxy accepts only proxy requests, not http requests. If this is the case, you should redirect port 80 to, say, 81, were a simple proxy script (which I can send you, don't remember were I found it) will mask direct requests to proxy ones...

Good Luck,


-- Marcelo
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627704
Actually it doesn't matter what I make it . .

-i accept
-a accept

etc...

they ALL give me the same error.
but I will take you up on that script offer :)

can you email it to me via q@qonline.com.au

Thank You
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 3

Expert Comment

by:marcelofr
ID: 1627705
I use a little different configuration, which is actually runnig, using 2.0.34 and ipfwadm 2.3.0:

ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

And if you have a web server on the same machine:

ipfwadm -I -P tcp -i acc -D internal_ip_addr/32 80

Anyway, I was able to reproduce your error: with kernels above 2.1.102 which don't support ipfwadm any more (there is something better called IP chains). Some early development kernels had firewalling broken also.

I'm sending you my scripts...

Good Luck,

-- Marcelo
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1627706
Have you had any luck? Did you receive my mail?

-- Marcelo
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627707
Sorry have been REALLY busy . . How do I make the binary run on port 81? do I . . i'm not sure exactly what I should be doing..

here's some info incase you need it.

slackware 3.4 (soon to be 3.5, having some troubles)
squid-1.1.20
there IS a web server on the same PC
it is the gateway for the network
also has a number of ipfwadm rules running on it

one which denies port 80 requests already.. so most people are using proxy requests via port 8080 already...  but to save me the trouble in future i'd rather NEVER have to tell people they have to setup the proxy.
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627708
actually . .when I send the command :

ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

I get the error again :
ipfwadm: setsockopt failed: Invalid argument

ideas?
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627709
oops. . I did change internal_ip_addr to the IP address :)

and I just checked my ipfwadm version. . 2.3.0
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1627710
To track the problem, please run the command with strace (I don't know if it is standard with slackware... The command is

strace -o /tmp/trace.log -r ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

and mail me /tmp/trace.log

-- Marcelo
0
 

Expert Comment

by:rasp
ID: 1627711
I am pretty sure there is some kind of transparent proxy option in the 2.0.34 kernel.
0
 

Expert Comment

by:medvitz
ID: 1627712
First, make sure that both firewall support and transparant proxy support are compiled into the kernel.  Check this through 'make menuconfig'  under networking options.

After installing a kernel with this support, the command you've described (with allow instead of deny) should work.  
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627713
I still get the same error
0
 

Expert Comment

by:medvitz
ID: 1627714
The valid command is:

ipfwadm -I -a accept -P tcp -r 81 -S 203.103.236.0/24 -D 0.0.0.0/0 80
0
 
LVL 1

Expert Comment

by:ernaniaz
ID: 1627715
I'm using the command:
ipfwadm -I -a accept -r 8080 -P tcp -S 172.28.3.71 -D 0/0 80
and the ipfwadm version is 2.3.0.
It's working fine to me, with kernel 2.0.33 and 2.0.34 (I don't have used with 2.0.35 yet).
You must set these kernel options to compile fine with transparent proxy support:
At Code maturity level options:
- Prompt for development and/or incomplete code/drivers
  This is important, if you don't set this, the transparent proxy option will not be able to be set at networking options.
At the networking options set:
- Network firewalls
- TCP/IP Networking
- IP: Firewalling
- IP: transparent proxy support (EXPERIMENTAL)
0
 
LVL 1

Expert Comment

by:ernaniaz
ID: 1627716
I've searching in my bookmarks, and found the official ipfwadm site, with an extensive how-to. There's a note to the use of transparent proxy. The transparent proxy DON'T work in kernel 2.0.30 and 2.1.x (this is not the case, only to advise). You can get more info about how to use ipfwadm with tp at: http://www.xos.nl/linux/ipfwadm/paper/ section Transparent Proxying.
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627717
am working on this problem over the next few days to see what I come up with... will post a new comment tommorow or the day after and let you know how I get on

thanks one and all :)
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627718
All seems to be working thanks to a script and help given by Marcelofr
0
 
LVL 3

Accepted Solution

by:
marcelofr earned 50 total points
ID: 1627719
Good for you...
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627720
Thanks again!  About time I got it working :)
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Choosing CentOS 16 81
Need BIOS update Linux for MSI X99A motherboard. 4 41
expectj telnet failing 5 36
Linux Desktop suggestion for Dell Inspiron 3043 13 40
I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question