Direct transparent proxy traffic to a peer?

Home Page Forums Network Management Transparent Proxy Direct transparent proxy traffic to a peer?

This topic contains 5 replies, has 0 voices, and was last updated by  roden 7 years, 8 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #42434

    roden
    Member

    Is it possible to direct all the http traffic with the transparent proxy to another proxy? I need this scenario to test something (I’m a QA analyst). I’d like to do it with the Zeroshell itself. Otherwise I have to allocate another box for squid, which I do not want to do if I can help it.

    #50417

    ppalias
    Member

    Actually you can do it with DNAT on PREROUTING chain of IPTABLES.

    #50418

    roden
    Member

    I tried adding this, but it does not work:

    -A PREROUTING -p tcp -m iprange –src-range 192.168.200.20-192.168.200.22 -m tcp –dport 80 -j DNAT –to-destination :

    I omitted the IP and port of my destination above for privacy reasons (it’s a public IP).

    I tried logging for my rules and I see this (in dmesg):

    LINE0 IN=ETH00 OUT= MAC=00:50:56:a8:44:23:00:50:56:a8:4a:19:08:00 SRC=192.168.200.20 DST=10.102.129.240 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=29854 DF PROTO=TCP SPT=3319 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0

    I see traffic on both interfaces of my Zeroshell box:

    Internal:

    21:40:26.540653 192.168.200.20.3368 > 10.102.129.240.80: S 2323931432:2323931432(0) win 64240 (DF)
    21:40:26.546233 arp who-has 192.168.200.20 tell 192.168.200.2
    21:40:26.546448 arp reply 192.168.200.20 is-at 0:50:56:a8:4a:19
    21:40:26.546456 10.102.129.240.80 > 192.168.200.20.3368: S 1489832951:1489832951(0) ack 2323931433 win 65535 (DF)
    21:40:26.546662 192.168.200.20.3368 > 10.102.129.240.80: . ack 1 win 64240 (DF)
    21:40:26.547071 192.168.200.20.3368 > 10.102.129.240.80: P 1:346(345) ack 1 win 64240 (DF)
    21:40:26.547780 10.102.129.240.80 > 192.168.200.20.3368: . ack 346 win 65535 (DF)
    21:40:26.713389 10.102.129.240.80 > 192.168.200.20.3368: . 1:1461(1460) ack 346 win 65535 (DF)
    21:40:26.713491 10.102.129.240.80 > 192.168.200.20.3368: P 1461:1513(52) ack 346 win 65535 (DF)
    21:40:26.713533 10.102.129.240.80 > 192.168.200.20.3368: P 1513:2646(1133) ack 346 win 65535 (DF)
    21:40:26.713553 10.102.129.240.80 > 192.168.200.20.3368: P 2646:2651(5) ack 346 win 65535 (DF)
    21:40:26.713651 192.168.200.20.3368 > 10.102.129.240.80: . ack 2646 win 64240 (DF)
    21:40:26.890460 192.168.200.20.3368 > 10.102.129.240.80: . ack 2651 win 64235 (DF)

    External:
    21:41:12.184460 192.168.200.20.3368 > 10.102.129.240.80: P 2323931778:2323932123(345) ack 1489835602 win 64235 (DF)
    21:41:12.185375 10.102.129.240.80 > 192.168.200.20.3368: . ack 345 win 65535 (DF)
    21:41:12.354599 10.102.129.240.80 > 192.168.200.20.3368: . 1:1461(1460) ack 345 win 65535 (DF)
    21:41:12.354727 10.102.129.240.80 > 192.168.200.20.3368: P 1461:1513(52) ack 345 win 65535 (DF)
    21:41:12.354777 10.102.129.240.80 > 192.168.200.20.3368: P 1513:2646(1133) ack 345 win 65535 (DF)
    21:41:12.354807 10.102.129.240.80 > 192.168.200.20.3368: P 2646:2651(5) ack 345 win 65535 (DF)
    21:41:12.354950 192.168.200.20.3368 > 10.102.129.240.80: . ack 1513 win 64240 (DF)
    21:41:12.355001 192.168.200.20.3368 > 10.102.129.240.80: . ack 2651 win 63102 (DF)

    The destination 10.102.129.240 is on our network. So obviously it’s not redirecting. And no page loads. Am I missing something? Do I need to add something to POSTROUTING? I also see these:

    -A PREROUTING -p tcp -m tcp –dport 80 -j Proxy
    -A POSTROUTING -j SNATVS
    -A POSTROUTING -o ETH01 -j MASQUERADE
    -A Proxy -s 192.168.200.21/32 -i ETH00 -p tcp -j ACCEPT
    -A Proxy -s 192.168.200.10/32 -i ETH00 -p tcp -j ACCEPT
    -A Proxy -s 192.168.200.20/32 -i ETH00 -p tcp -j REDIRECT –to-ports 8080

    I’m not sure where the rule to redirect to 8080 comes from. Possibly someone else at my work added it. I tried disabling it, but it made no difference. Any more help would be greatly appreciated!!

    #50419

    roden
    Member

    I changed things around a bit (and disabled Zeroshell’s built-in transparent proxy, which removed this line: -A PREROUTING -p tcp -m tcp –dport 80 -j Proxy) and got a slightly better scenario. So now my rules look like:

    -A PREROUTING -i ETH00 -p tcp -m tcp –dport 80 -j DNAT –to-destination 67.219.254.22:3128
    -A PREROUTING -i ETH01 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128

    And I get traffic to the upstream proxy:

    17:14:50.952063 10.102.132.38.3088 > .3128: R 187842165:187842165(0) ack 2449923915 win 0 (DF)
    17:14:52.364742 10.102.132.38.3092 > .3128: S 1325328404:1325328404(0) win 64240 (DF)
    17:14:52.366500 .3128 > 10.102.132.38.3092: S 3955775135:3955775135(0) ack 1325328405 win 65535 (DF)
    17:14:52.366713 10.102.132.38.3092 > .3128: . ack 1 win 64240 (DF)
    17:14:52.367808 10.102.132.38.3092 > .3128: P 1:696(695) ack 1 win 64240 (DF)
    17:14:52.368737 .3128 > 10.102.132.38.3092: . ack 696 win 65535 (DF)

    Note that once again I removed the actual IP and replaced it with “IP”, since this is a public IP. Anyway, the problem now is that the request shows up in my upstream proxy logs as http://:3128/morestuff. So you can see for some reason it’s inserting the :3128 into the forwarding request. Note that this upstream proxy forwards to yet another upstream proxy.

    At least that’s how it forwarding the request. When I look at packet captures from this upstream proxy I notice that when I’m not using transparent proxy for my Zeroshell, and point my browser directly to the upstream proxy, then it will send a correct absolute URI: http:///morestuff. But when I transparently proxy, with no proxy set in the browser, then I see an absolute path sent: /morestuff

    I’m nit sure if this plays a part in the problem. I’m pretty sure that when you specify a proxy in your browser, it then sends requests in absolute URI instead of absolute path. But it may be unrelated to the problem with the :3128 being stuck into my request. Any ideas?

    #50420

    ppalias
    Member

    First of all disable the internal ZS transparent proxy. Then read the manual on DNAT ( http://www.frozentux.net/iptables-tutorial/chunkyhtml/x4033.html ). They have some examples on redirecting the destination. The REDIRECT command is used only for redirecting packets to the ZS itself.

    #50421

    braan
    Member

    I don’t think it is possible even if you do some tinkering around…

    #50422

    Hannek
    Member

    @braan wrote:

    I don’t think it is possible even if you do some tinkering around…

    I agree with you. At least, disabling the internal ZS transparent proxy doesn’t make any deal.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.