Solved

transparent proxying

Posted on 1998-06-10
19
310 Views
Last Modified: 2013-12-15
I want to setup transparent proxying.  I assume ipfwadm is the easiest way to do this ?

do I need any specific options enabled in the kernel ?  Do I have to use a developmental kernal?  at present I use 2.0.34

basically all outgoing requests on port 80 I want redirected to LOCAL port 8080
0
Comment
Question by:Q010797
  • 9
  • 5
  • 2
  • +2
19 Comments
 
LVL 1

Author Comment

by:Q010797
ID: 1627702
ipfwadm -I -i deny -P tcp -S 203.103.236.0/24 -D 0.0.0.0/0 80 -r 8080

is the command I am currently using . .

ipfwadm: setsockopt failed: Invalid argument

is the response I am currently getting :)

Andrew
q@qonline.com.au
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1627703
port redirection only accepts  "accept" policy, not deny. That's the error you are getting. And if you want to redirect all your web traffic through your proxy server, you can't do it that easy: remember a proxy accepts only proxy requests, not http requests. If this is the case, you should redirect port 80 to, say, 81, were a simple proxy script (which I can send you, don't remember were I found it) will mask direct requests to proxy ones...

Good Luck,


-- Marcelo
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627704
Actually it doesn't matter what I make it . .

-i accept
-a accept

etc...

they ALL give me the same error.
but I will take you up on that script offer :)

can you email it to me via q@qonline.com.au

Thank You
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1627705
I use a little different configuration, which is actually runnig, using 2.0.34 and ipfwadm 2.3.0:

ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

And if you have a web server on the same machine:

ipfwadm -I -P tcp -i acc -D internal_ip_addr/32 80

Anyway, I was able to reproduce your error: with kernels above 2.1.102 which don't support ipfwadm any more (there is something better called IP chains). Some early development kernels had firewalling broken also.

I'm sending you my scripts...

Good Luck,

-- Marcelo
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1627706
Have you had any luck? Did you receive my mail?

-- Marcelo
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627707
Sorry have been REALLY busy . . How do I make the binary run on port 81? do I . . i'm not sure exactly what I should be doing..

here's some info incase you need it.

slackware 3.4 (soon to be 3.5, having some troubles)
squid-1.1.20
there IS a web server on the same PC
it is the gateway for the network
also has a number of ipfwadm rules running on it

one which denies port 80 requests already.. so most people are using proxy requests via port 8080 already...  but to save me the trouble in future i'd rather NEVER have to tell people they have to setup the proxy.
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627708
actually . .when I send the command :

ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

I get the error again :
ipfwadm: setsockopt failed: Invalid argument

ideas?
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627709
oops. . I did change internal_ip_addr to the IP address :)

and I just checked my ipfwadm version. . 2.3.0
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1627710
To track the problem, please run the command with strace (I don't know if it is standard with slackware... The command is

strace -o /tmp/trace.log -r ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

and mail me /tmp/trace.log

-- Marcelo
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Expert Comment

by:rasp
ID: 1627711
I am pretty sure there is some kind of transparent proxy option in the 2.0.34 kernel.
0
 

Expert Comment

by:medvitz
ID: 1627712
First, make sure that both firewall support and transparant proxy support are compiled into the kernel.  Check this through 'make menuconfig'  under networking options.

After installing a kernel with this support, the command you've described (with allow instead of deny) should work.  
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627713
I still get the same error
0
 

Expert Comment

by:medvitz
ID: 1627714
The valid command is:

ipfwadm -I -a accept -P tcp -r 81 -S 203.103.236.0/24 -D 0.0.0.0/0 80
0
 
LVL 1

Expert Comment

by:ernaniaz
ID: 1627715
I'm using the command:
ipfwadm -I -a accept -r 8080 -P tcp -S 172.28.3.71 -D 0/0 80
and the ipfwadm version is 2.3.0.
It's working fine to me, with kernel 2.0.33 and 2.0.34 (I don't have used with 2.0.35 yet).
You must set these kernel options to compile fine with transparent proxy support:
At Code maturity level options:
- Prompt for development and/or incomplete code/drivers
  This is important, if you don't set this, the transparent proxy option will not be able to be set at networking options.
At the networking options set:
- Network firewalls
- TCP/IP Networking
- IP: Firewalling
- IP: transparent proxy support (EXPERIMENTAL)
0
 
LVL 1

Expert Comment

by:ernaniaz
ID: 1627716
I've searching in my bookmarks, and found the official ipfwadm site, with an extensive how-to. There's a note to the use of transparent proxy. The transparent proxy DON'T work in kernel 2.0.30 and 2.1.x (this is not the case, only to advise). You can get more info about how to use ipfwadm with tp at: http://www.xos.nl/linux/ipfwadm/paper/ section Transparent Proxying.
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627717
am working on this problem over the next few days to see what I come up with... will post a new comment tommorow or the day after and let you know how I get on

thanks one and all :)
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627718
All seems to be working thanks to a script and help given by Marcelofr
0
 
LVL 3

Accepted Solution

by:
marcelofr earned 50 total points
ID: 1627719
Good for you...
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627720
Thanks again!  About time I got it working :)
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now