• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 422
  • Last Modified:

transparent proxying

I want to setup transparent proxying.  I assume ipfwadm is the easiest way to do this ?

do I need any specific options enabled in the kernel ?  Do I have to use a developmental kernal?  at present I use 2.0.34

basically all outgoing requests on port 80 I want redirected to LOCAL port 8080
0
Q010797
Asked:
Q010797
  • 9
  • 5
  • 2
  • +2
1 Solution
 
Q010797Author Commented:
ipfwadm -I -i deny -P tcp -S 203.103.236.0/24 -D 0.0.0.0/0 80 -r 8080

is the command I am currently using . .

ipfwadm: setsockopt failed: Invalid argument

is the response I am currently getting :)

Andrew
q@qonline.com.au
0
 
marcelofrCommented:
port redirection only accepts  "accept" policy, not deny. That's the error you are getting. And if you want to redirect all your web traffic through your proxy server, you can't do it that easy: remember a proxy accepts only proxy requests, not http requests. If this is the case, you should redirect port 80 to, say, 81, were a simple proxy script (which I can send you, don't remember were I found it) will mask direct requests to proxy ones...

Good Luck,


-- Marcelo
0
 
Q010797Author Commented:
Actually it doesn't matter what I make it . .

-i accept
-a accept

etc...

they ALL give me the same error.
but I will take you up on that script offer :)

can you email it to me via q@qonline.com.au

Thank You
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
marcelofrCommented:
I use a little different configuration, which is actually runnig, using 2.0.34 and ipfwadm 2.3.0:

ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

And if you have a web server on the same machine:

ipfwadm -I -P tcp -i acc -D internal_ip_addr/32 80

Anyway, I was able to reproduce your error: with kernels above 2.1.102 which don't support ipfwadm any more (there is something better called IP chains). Some early development kernels had firewalling broken also.

I'm sending you my scripts...

Good Luck,

-- Marcelo
0
 
marcelofrCommented:
Have you had any luck? Did you receive my mail?

-- Marcelo
0
 
Q010797Author Commented:
Sorry have been REALLY busy . . How do I make the binary run on port 81? do I . . i'm not sure exactly what I should be doing..

here's some info incase you need it.

slackware 3.4 (soon to be 3.5, having some troubles)
squid-1.1.20
there IS a web server on the same PC
it is the gateway for the network
also has a number of ipfwadm rules running on it

one which denies port 80 requests already.. so most people are using proxy requests via port 8080 already...  but to save me the trouble in future i'd rather NEVER have to tell people they have to setup the proxy.
0
 
Q010797Author Commented:
actually . .when I send the command :

ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

I get the error again :
ipfwadm: setsockopt failed: Invalid argument

ideas?
0
 
Q010797Author Commented:
oops. . I did change internal_ip_addr to the IP address :)

and I just checked my ipfwadm version. . 2.3.0
0
 
marcelofrCommented:
To track the problem, please run the command with strace (I don't know if it is standard with slackware... The command is

strace -o /tmp/trace.log -r ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

and mail me /tmp/trace.log

-- Marcelo
0
 
raspCommented:
I am pretty sure there is some kind of transparent proxy option in the 2.0.34 kernel.
0
 
medvitzCommented:
First, make sure that both firewall support and transparant proxy support are compiled into the kernel.  Check this through 'make menuconfig'  under networking options.

After installing a kernel with this support, the command you've described (with allow instead of deny) should work.  
0
 
Q010797Author Commented:
I still get the same error
0
 
medvitzCommented:
The valid command is:

ipfwadm -I -a accept -P tcp -r 81 -S 203.103.236.0/24 -D 0.0.0.0/0 80
0
 
ernaniazCommented:
I'm using the command:
ipfwadm -I -a accept -r 8080 -P tcp -S 172.28.3.71 -D 0/0 80
and the ipfwadm version is 2.3.0.
It's working fine to me, with kernel 2.0.33 and 2.0.34 (I don't have used with 2.0.35 yet).
You must set these kernel options to compile fine with transparent proxy support:
At Code maturity level options:
- Prompt for development and/or incomplete code/drivers
  This is important, if you don't set this, the transparent proxy option will not be able to be set at networking options.
At the networking options set:
- Network firewalls
- TCP/IP Networking
- IP: Firewalling
- IP: transparent proxy support (EXPERIMENTAL)
0
 
ernaniazCommented:
I've searching in my bookmarks, and found the official ipfwadm site, with an extensive how-to. There's a note to the use of transparent proxy. The transparent proxy DON'T work in kernel 2.0.30 and 2.1.x (this is not the case, only to advise). You can get more info about how to use ipfwadm with tp at: http://www.xos.nl/linux/ipfwadm/paper/ section Transparent Proxying.
0
 
Q010797Author Commented:
am working on this problem over the next few days to see what I come up with... will post a new comment tommorow or the day after and let you know how I get on

thanks one and all :)
0
 
Q010797Author Commented:
All seems to be working thanks to a script and help given by Marcelofr
0
 
marcelofrCommented:
Good for you...
0
 
Q010797Author Commented:
Thanks again!  About time I got it working :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 9
  • 5
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now