Gateway and Transparent Proxy in separated machines

W

welkson

Hello,


When you configure transparent proxy and gateway on the SAME machine, it works (shows the correct ip in the access.log). On SEPARATE MACHINES shows the gateway ip in the squid log :(

Gateway: 192.168.0.254 (FreeBSD 8 AMD64)
Proxy Server: 192.168.0.250 (FreeBSD 8 AMD64)
User: 192.168.0.200 (Windows XP)
Squid Version: 3.1.4 (compiled with pf-transparent) - Also tested with 2.6 and 2.6

Details:

Redirect www port to proxy server on GATEWAY (192.168.0.254):

Code: 
nat on $int_if from ! 192.168.0.250 to 192.168.0.250 port { 80, 8080 } -> $int_if
rdr inet proto tcp from ! 192.168.0.250 to any port www -> 192.168.0.250 port 8080
pass all # lab test

Rules on PROXY SERVER (192.168.0.250)
Code: 
pass all # lab test

squid.conf on PROXY SERVER (192.168.0.250)
Code: 
http_port 8080 transparent
…
always_direct allow all
…
forwarded_for on  # tested

Checking service:
Code: 
[root@services:/] # sockstat -4 | grep 8080
squid    squid      1900  11 tcp4   *:8080                *:*

By testing the transparent proxy on the user's machine works normally (Windows XP/192.168.0.200) But in the squid log shows the gateway IP (192.168.0.254… correct is: 192.168.0.200).

Code: 
[root@services:/] # tail -f /usr/local/squid/logs/access.log
[color="Red"][B]192.168.0.254[/B][/color] - - [17/Jun/2010:11:53:48 -0300] "GET [url]http://comentarios.uol.com.br/ws/v1/message/retrieve/subject/104?callback=callbackColetarComentarios&product=esporte&limit=50[/url] HTTP/1.1" 0 0 TCP_MISS:DIRECT

What is the problem? The NAT changes the SOURCE IP? if I disable the NAT, it does not work.

Sorry by my poor english =)

Regards 

Welkson Renny
Sysadmin
 
You don't need the nat rule. You need the rdr rule only. Try the following two rules, they work for me:

Code: 
rdr on $int_if inet proto tcp from ! $proxy \
       port 80 tag  HTTP_PROXY -> $proxy port $proxy_port

and later on:
Code: 
pass on $int_if modulate state tagged HTTP_PROXY
 
Hi DBI!

I changed the configuration and tested ... but only works with NAT active (showing the IP wrong),

# ON GATEWAY (192.168.0.254)

Code: 
rdr on $int_if inet proto tcp from ! 192.168.0.250 to any port 80 tag HTTP_PROXY
 -> 192.168.0.250 port 8080

pass quick log on $int_if modulate state tagged HTTP_PROXY

Dont work!

Test with NAT:
Code: 
nat on $int_if from ! 192.168.0.250 to any port { 80, 8080 } -> $int_if
Work! But ip wrong on access.log (ip from gateway)

Any other tips?

Regards,

Welkson Renny
 
Been a while, but I think on the gateway you need to disable NAT on the internal interface, enable it on the external interface, and then use route-to to send www traffic to the proxy machine. On the proxy machine you use rdr to send www traffic to port 8080.

Something like:

Code: 
nat on $ext_if from $int_if:network to any -> $ext_if
pass all
pass in on $int_if from ! 192.168.0.250/32 to any port 80 route-to 192.168.0.250

And on the proxy:

Code: 
rdr inet proto tcp from ! 192.168.0.250 to any port www -> 192.168.0.250 port 8080
 
Hi, welkson

nat means "change the src ip address to this one"
rdr means "change the dst ip address to this one"
Obviously you can't preserve the original source address when using nat.
When you use rdr with clients and proxy connected to the same NIC you should force the GW not to send icmp redirects.
Please, try again the rules I wrote before with the following addition:
Code: 
echo net.inet.ip.redirect=0 >> /etc/sysctl.conf
sed 's/#.*//g ; /^$/d' /etc/sysctl.conf | xargs -n1 sysctl
 
Hello friends!


On Gateway/Firewall (192.168.0.254):
Code: 
# sysctl -a | grep ip.redirect
net.inet.ip.redirect: 0

pf.conf on gateway (192.168.0.254):
Code: 
pass in quick on $int_if route-to ($int_if 192.168.0.250) proto tcp from ! 192.168.0.250 to any port 80




On Proxy Server (192.168.0.250):

# sysctl -a | grep ip.redirect
Code: 
net.inet.ip.redirect: 0

pf.conf (Proxy Server 192.168.0.250):

Code: 
rdr inet proto tcp from ! 192.168.0.250 to any port www -> 192.168.0.250 port 8080


# tail -f /usr/local/squid/logs/access.log
Code: 
192.168.0.200 - - [22/Jun/2010:07:10:29 -0300] "GET http://www.google-analytics.com/urchin.js HTTP/1.1" 200 7318 TCP_HIT:NONE


Thank you very much! it's now works! :p

Regards,

Welkson Renny ;)
SysAdmin
 
You must log in or register to reply here.
Back
Top