more transparent proxy problems (long)

James McDonald james
Fri Oct 1 17:27:25 PDT 2004 

Tim Wunder wrote:

>I'm still fighting with this transparent proxy problem, and I must be missing 
>something obvious, so I'll start at the beginning and descibe my network and 
>what I'm trying to do...
>
>I have a linksys cable router that is currently used as a firewall/nat box. 
>Its internal facing IP address is 192.168.1.254, It only allows traffic from 
>192.168.1.2 to go to the internet. 
>


You have basically

<NAT_router>--<192.168.1.0/24>--<10.0.0.0/10>

you say that the NAT_router is only configured to allow 192.168.1.0/24 
that is one problem. The 10.0.0.0/10 will  probably hit the router and 
say uh no.

Also I found that the traffic transfer on my little Alcatel NAT_Router 
didn't allow me to have 2 private LANS behind it... So I had to do the 
following

<NAT_ROUTER>---<LINUX_BOX_WITH_NAT 192.168.1.2/24>--<10.0.0.0/10>

Which is messy because of 2 layers of NAT and even then it wasn't so 
crash hot... (I don't remember it working properly)

Probably the easiest way around this is the following.

                                                  Linux Box 192.168.1.2
                                               /
<NAT_ROUTER>----<HUB>
                                               \
                                                 R40 192.168.1.x







>It also forwards ports 21,22,25,80,443,995 
>and 8000 to 192.168.1.2 for ssh, smtp, http, https, pop3s, and gnump3d.
>
>192.168.1.2 belongs to an FC2 box that serves webpages, e-mail, music 
>streaming and is our main desktop PC for the four people in the house. 
>traffic for GID's belonging to my two sons gets forwarded through 
>dansguardian/squidGuard and squid transparently.
>
>The iptables setting that does this is:
>Chain OUTPUT (policy ACCEPT)
>target     prot opt source               destination
>REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http 
>OWNER GID match john redir ports 3129
>REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http 
>OWNER GID match tom redir ports 3129
>REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:squid 
>OWNER GID match john redir ports 3129
>REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:squid 
>OWNER GID match tom redir ports 3129
>
>I've installed a new ethernet card, with the IP address of 10.0.0.1 and it 
>appears to be working fine:
># route -n
>Kernel IP routing table
>Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
>10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
>192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
>169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
>0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
>
>I've enable dhcpd and have configured it to give out ip addresses between 
>10.0.0.100 and 10.0.0.110 and it also seems to be working just fine.
># cat /etc/dhcpd.conf
>default-lease-time 86400;
>max-lease-time 86400;
>option subnet-mask 255.255.255.0;
>option broadcast-address 10.255.255.255;
>option routers 10.0.0.1;
>option domain-name-servers 68.34.76.5, 68.34.76.6;
>option domain-name "thewunders.org";
>ddns-update-style ad-hoc;
>
>subnet 10.0.0.0 netmask 255.255.255.0 {
>  range 10.0.0.100 10.0.0.110;
>}
>
>I have an IBM R40 laptop running Fedora Core 2 with a wireless card that is 
>configured to get its IP address via DHCP and it's gotten 10.0.0.109. My son 
>has a Toshiba laptop running WinXP Home and it also gets its IP via DHCP and 
>is assigned 10.0.0.110. It is hardwired to the linksys cable router. 
>
>My wireless access point has a configuration ID of 192.168.1.251 and I can 
>access it from anywhere on the network. It is also hardwired to the cable 
>router.
>
>I can ping the DNS server, 68.34.76.5, from my R40, and from the WinXP laptop, 
>and can see the traffic coming thru eth1 on the server/proxy via tcpdump.
>
>If I try to connect to a web page from my R40 laptop, this is what I see via 
>tcpdump -i eth1:
># tcpdump -i eth1 -n
>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
>11:19:10.768253 IP 10.0.0.109.32790 > 68.34.76.5.domain:  27115+ AAAA? 
>www.gnu.org. (29)
>11:19:10.768623 IP 10.0.0.1 > 10.0.0.109: icmp 65: host 68.34.76.5 unreachable 
>- admin prohibited
>11:19:10.770495 IP 10.0.0.109.32790 > 68.34.76.6.domain:  27115+ AAAA? 
>www.gnu.org. (29)
>11:19:10.770620 IP 10.0.0.1 > 10.0.0.109: icmp 65: host 68.34.76.6 unreachable 
>- admin prohibited
>11:19:10.772592 IP 10.0.0.109.32790 > 68.34.76.5.domain:  27115+ AAAA? 
>www.gnu.org. (29)
>11:19:10.772702 IP 10.0.0.1 > 10.0.0.109: icmp 65: host 68.34.76.5 unreachable 
>- admin prohibited
>11:19:10.774522 IP 10.0.0.109.32790 > 68.34.76.6.domain:  27115+ AAAA? 
>www.gnu.org. (29)
>11:19:10.774632 IP 10.0.0.1 > 10.0.0.109: icmp 65: host 68.34.76.6 unreachable 
>- admin prohibited
>11:19:10.776490 IP 10.0.0.109.32790 > 68.34.76.5.domain:  27116+ AAAA? 
>www.gnu.org.localdomain. (41)
>11:19:10.776600 IP 10.0.0.1 > 10.0.0.109: icmp 77: host 68.34.76.5 unreachable 
>- admin prohibited
>
>And there is no traffic going trough eth0 seen by tcpdump -i eth0 -n
>
>I've enabled ip forwarding:
># cat  /proc/sys/net/ipv4/ip_forward
>1
>
>And I also have these firewall rules:
># iptables -t nat -L
>Chain PREROUTING (policy ACCEPT)
>target     prot opt source               destination
>
>Chain POSTROUTING (policy ACCEPT)
>target     prot opt source               destination
>SNAT       all  --  10.0.0.0/24          anywhere            to:192.168.1.2
>
>
>When I ping 68.34.76.5 from the laptop, I see this traffic on eth0 via 
>tcpdump:
>11:24:07.658365 IP 192.168.1.2 > 68.34.76.5: icmp 64: echo request seq 1
>11:24:07.668527 IP 68.34.76.5 > 192.168.1.2: icmp 64: echo reply seq 1
>11:24:08.659175 IP 192.168.1.2 > 68.34.76.5: icmp 64: echo request seq 2
>11:24:08.670433 IP 68.34.76.5 > 192.168.1.2: icmp 64: echo reply seq 2
>11:24:09.660027 IP 192.168.1.2 > 68.34.76.5: icmp 64: echo request seq 3
>11:24:09.670130 IP 68.34.76.5 > 192.168.1.2: icmp 64: echo reply seq 3
>11:24:10.660886 IP 192.168.1.2 > 68.34.76.5: icmp 64: echo request seq 4
>11:24:10.671438 IP 68.34.76.5 > 192.168.1.2: icmp 64: echo reply seq 4
>11:24:11.661732 IP 192.168.1.2 > 68.34.76.5: icmp 64: echo request seq 5
>11:24:11.673050 IP 68.34.76.5 > 192.168.1.2: icmp 64: echo reply seq 5
>11:24:12.662602 IP 192.168.1.2 > 68.34.76.5: icmp 64: echo request seq 6
>11:24:12.671956 IP 68.34.76.5 > 192.168.1.2: icmp 64: echo reply seq 6
>11:24:13.663443 IP 192.168.1.2 > 68.34.76.5: icmp 64: echo request seq 7
>11:24:13.673915 IP 68.34.76.5 > 192.168.1.2: icmp 64: echo reply seq 7
>11:24:14.664311 IP 192.168.1.2 > 68.34.76.5: icmp 64: echo request seq 8
>11:24:14.675373 IP 68.34.76.5 > 192.168.1.2: icmp 64: echo reply seq 8
> 
>So it looks like the SNAT rule is working for ping...
>
>What am I missing?
>
>Could it be that DNS is blocked somehow? Maybe I'll try to set up bind to 
>handle DNS locally and see if that works...
>
>Thanks for listening...
>
>Tim
>
>  
>

More information about the Linux-users mailing list