Solved

transparent proxying

Posted on 1998-06-10
19
305 Views
Last Modified: 2013-12-15
I want to setup transparent proxying.  I assume ipfwadm is the easiest way to do this ?

do I need any specific options enabled in the kernel ?  Do I have to use a developmental kernal?  at present I use 2.0.34

basically all outgoing requests on port 80 I want redirected to LOCAL port 8080
0
Comment
Question by:Q010797
  • 9
  • 5
  • 2
  • +2
19 Comments
 
LVL 1

Author Comment

by:Q010797
ID: 1627702
ipfwadm -I -i deny -P tcp -S 203.103.236.0/24 -D 0.0.0.0/0 80 -r 8080

is the command I am currently using . .

ipfwadm: setsockopt failed: Invalid argument

is the response I am currently getting :)

Andrew
q@qonline.com.au
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1627703
port redirection only accepts  "accept" policy, not deny. That's the error you are getting. And if you want to redirect all your web traffic through your proxy server, you can't do it that easy: remember a proxy accepts only proxy requests, not http requests. If this is the case, you should redirect port 80 to, say, 81, were a simple proxy script (which I can send you, don't remember were I found it) will mask direct requests to proxy ones...

Good Luck,


-- Marcelo
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627704
Actually it doesn't matter what I make it . .

-i accept
-a accept

etc...

they ALL give me the same error.
but I will take you up on that script offer :)

can you email it to me via q@qonline.com.au

Thank You
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1627705
I use a little different configuration, which is actually runnig, using 2.0.34 and ipfwadm 2.3.0:

ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

And if you have a web server on the same machine:

ipfwadm -I -P tcp -i acc -D internal_ip_addr/32 80

Anyway, I was able to reproduce your error: with kernels above 2.1.102 which don't support ipfwadm any more (there is something better called IP chains). Some early development kernels had firewalling broken also.

I'm sending you my scripts...

Good Luck,

-- Marcelo
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1627706
Have you had any luck? Did you receive my mail?

-- Marcelo
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627707
Sorry have been REALLY busy . . How do I make the binary run on port 81? do I . . i'm not sure exactly what I should be doing..

here's some info incase you need it.

slackware 3.4 (soon to be 3.5, having some troubles)
squid-1.1.20
there IS a web server on the same PC
it is the gateway for the network
also has a number of ipfwadm rules running on it

one which denies port 80 requests already.. so most people are using proxy requests via port 8080 already...  but to save me the trouble in future i'd rather NEVER have to tell people they have to setup the proxy.
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627708
actually . .when I send the command :

ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

I get the error again :
ipfwadm: setsockopt failed: Invalid argument

ideas?
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627709
oops. . I did change internal_ip_addr to the IP address :)

and I just checked my ipfwadm version. . 2.3.0
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1627710
To track the problem, please run the command with strace (I don't know if it is standard with slackware... The command is

strace -o /tmp/trace.log -r ipfwadm -I -P tcp -i acc -D 0/0 80 -r 81 -V internal_ip_addr

and mail me /tmp/trace.log

-- Marcelo
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Expert Comment

by:rasp
ID: 1627711
I am pretty sure there is some kind of transparent proxy option in the 2.0.34 kernel.
0
 

Expert Comment

by:medvitz
ID: 1627712
First, make sure that both firewall support and transparant proxy support are compiled into the kernel.  Check this through 'make menuconfig'  under networking options.

After installing a kernel with this support, the command you've described (with allow instead of deny) should work.  
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627713
I still get the same error
0
 

Expert Comment

by:medvitz
ID: 1627714
The valid command is:

ipfwadm -I -a accept -P tcp -r 81 -S 203.103.236.0/24 -D 0.0.0.0/0 80
0
 
LVL 1

Expert Comment

by:ernaniaz
ID: 1627715
I'm using the command:
ipfwadm -I -a accept -r 8080 -P tcp -S 172.28.3.71 -D 0/0 80
and the ipfwadm version is 2.3.0.
It's working fine to me, with kernel 2.0.33 and 2.0.34 (I don't have used with 2.0.35 yet).
You must set these kernel options to compile fine with transparent proxy support:
At Code maturity level options:
- Prompt for development and/or incomplete code/drivers
  This is important, if you don't set this, the transparent proxy option will not be able to be set at networking options.
At the networking options set:
- Network firewalls
- TCP/IP Networking
- IP: Firewalling
- IP: transparent proxy support (EXPERIMENTAL)
0
 
LVL 1

Expert Comment

by:ernaniaz
ID: 1627716
I've searching in my bookmarks, and found the official ipfwadm site, with an extensive how-to. There's a note to the use of transparent proxy. The transparent proxy DON'T work in kernel 2.0.30 and 2.1.x (this is not the case, only to advise). You can get more info about how to use ipfwadm with tp at: http://www.xos.nl/linux/ipfwadm/paper/ section Transparent Proxying.
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627717
am working on this problem over the next few days to see what I come up with... will post a new comment tommorow or the day after and let you know how I get on

thanks one and all :)
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627718
All seems to be working thanks to a script and help given by Marcelofr
0
 
LVL 3

Accepted Solution

by:
marcelofr earned 50 total points
ID: 1627719
Good for you...
0
 
LVL 1

Author Comment

by:Q010797
ID: 1627720
Thanks again!  About time I got it working :)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now