Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

transparent proxying

Posted on 1998-06-10
19
Medium Priority
?
356 Views
Last Modified: 2013-12-15
I want to setup transparent proxying.  I assume ipfwadm is the easiest way to do this ?

do I need any specific options enabled in the kernel ?  Do I have to use a developmental kernal?  at present I use 2.0.34

basically all outgoing requests on port 80 I want redirected to LOCAL port 8080
0
Comment
Question by:Q010797
  • 9
  • 5
  • 2
  • +2
19 Comments
 
LVL 1

Author Comment

by:Q010797
ID: 1627702
ipfwadm -I -i deny -P tcp -S 203.103.236.0/24 -D 0.0.0.0/0 80 -r 8080

is the command I am currently using . .

ipfwadm: setsockopt failed: Invalid argument

is the response I am currently getting :)

Andrew
q@qonline.com.au
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1627703
port redirection only accepts  "accept" policy, not deny. That's the error you are getting. And if you want to redirect all your web traffic through your proxy server, you can't do it that easy: remember a proxy accepts only proxy requests, not http requests. If this is the case, you should redirect port 80 to, say, 81, were a simple proxy script (which I can send you, don't remember were I found it) will mask direct requests to proxy ones...

Good Luck,


-- Marcelo
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627704
Actually it doesn't matter what I make it . .

-i accept
-a accept

etc...

they ALL give me the same error.
but I will take you up on that script offer :)

can you email it to me via q@qonline.com.au

Thank You
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 3

Expert Comment

by:marcelofr
ID: 1627705
I use a little different configuration, which is actually runnig, using 2.0.34 and ipfwadm 2.3.0:

ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

And if you have a web server on the same machine:

ipfwadm -I -P tcp -i acc -D internal_ip_addr/32 80

Anyway, I was able to reproduce your error: with kernels above 2.1.102 which don't support ipfwadm any more (there is something better called IP chains). Some early development kernels had firewalling broken also.

I'm sending you my scripts...

Good Luck,

-- Marcelo
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1627706
Have you had any luck? Did you receive my mail?

-- Marcelo
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627707
Sorry have been REALLY busy . . How do I make the binary run on port 81? do I . . i'm not sure exactly what I should be doing..

here's some info incase you need it.

slackware 3.4 (soon to be 3.5, having some troubles)
squid-1.1.20
there IS a web server on the same PC
it is the gateway for the network
also has a number of ipfwadm rules running on it

one which denies port 80 requests already.. so most people are using proxy requests via port 8080 already...  but to save me the trouble in future i'd rather NEVER have to tell people they have to setup the proxy.
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627708
actually . .when I send the command :

ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

I get the error again :
ipfwadm: setsockopt failed: Invalid argument

ideas?
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627709
oops. . I did change internal_ip_addr to the IP address :)

and I just checked my ipfwadm version. . 2.3.0
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1627710
To track the problem, please run the command with strace (I don't know if it is standard with slackware... The command is

strace -o /tmp/trace.log -r ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

and mail me /tmp/trace.log

-- Marcelo
0
 

Expert Comment

by:rasp
ID: 1627711
I am pretty sure there is some kind of transparent proxy option in the 2.0.34 kernel.
0
 

Expert Comment

by:medvitz
ID: 1627712
First, make sure that both firewall support and transparant proxy support are compiled into the kernel.  Check this through 'make menuconfig'  under networking options.

After installing a kernel with this support, the command you've described (with allow instead of deny) should work.  
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627713
I still get the same error
0
 

Expert Comment

by:medvitz
ID: 1627714
The valid command is:

ipfwadm -I -a accept -P tcp -r 81 -S 203.103.236.0/24 -D 0.0.0.0/0 80
0
 
LVL 1

Expert Comment

by:ernaniaz
ID: 1627715
I'm using the command:
ipfwadm -I -a accept -r 8080 -P tcp -S 172.28.3.71 -D 0/0 80
and the ipfwadm version is 2.3.0.
It's working fine to me, with kernel 2.0.33 and 2.0.34 (I don't have used with 2.0.35 yet).
You must set these kernel options to compile fine with transparent proxy support:
At Code maturity level options:
- Prompt for development and/or incomplete code/drivers
  This is important, if you don't set this, the transparent proxy option will not be able to be set at networking options.
At the networking options set:
- Network firewalls
- TCP/IP Networking
- IP: Firewalling
- IP: transparent proxy support (EXPERIMENTAL)
0
 
LVL 1

Expert Comment

by:ernaniaz
ID: 1627716
I've searching in my bookmarks, and found the official ipfwadm site, with an extensive how-to. There's a note to the use of transparent proxy. The transparent proxy DON'T work in kernel 2.0.30 and 2.1.x (this is not the case, only to advise). You can get more info about how to use ipfwadm with tp at: http://www.xos.nl/linux/ipfwadm/paper/ section Transparent Proxying.
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627717
am working on this problem over the next few days to see what I come up with... will post a new comment tommorow or the day after and let you know how I get on

thanks one and all :)
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627718
All seems to be working thanks to a script and help given by Marcelofr
0
 
LVL 3

Accepted Solution

by:
marcelofr earned 200 total points
ID: 1627719
Good for you...
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627720
Thanks again!  About time I got it working :)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month6 days, 4 hours left to enroll

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question