Re: [suse-security] Transparent proxy ...
The problem is that the squid server is running on another PC (I called it on my previous emails PC2) and the packet filtering is happening on PC1 !!!
So I need to redirect to a port on another machine! This is not possible directly with ipchains, isnt' it? Redirecting to another port on the same machine is not the problem.
AFAIK ipchains can not redirect to an other port on an other machine. But there is other software you can use to have the expected effects: rinetd. Its on CD, works seamless, only point of critic in my opinion: you'll have to specify IP-addresses in the config-file. DNS-Names are not resolved. -- Thomas
tschweikle@fiducia.de schrieb:
So I need to redirect to a port on another machine! This is not possible directly with ipchains, isnt' it? Redirecting to another port on the same machine is not the problem.
AFAIK ipchains can not redirect to an other port on an other machine. But there is other software you can use to have the expected effects: rinetd. Its on CD, works seamless, only point of critic in my opinion: you'll have to specify IP-addresses in the config-file. DNS-Names are not resolved.
Another option (at least for 2.2 kernels) should be: ipmasqadm portfw - Port-forwarding This module is able to forward to-firewall packets to internal hosts, based on address and port specification. see: http://www.monmouth.demon.co.uk/ipsubs/portforwarding.html f.ex: ipmasqadm portfw -a -P tcp -L your.ext.ip smtp -R your.smtp.host smtp You still need ipchains to reverse masquerade: ipchains -I forward -p tcp -s your.smtp.host smtp -j MASQ -cdr
Chris Drauch schrieb:
tschweikle@fiducia.de schrieb:
So I need to redirect to a port on another machine! This is not possible directly with ipchains, isnt' it? Redirecting to another port on the same machine is not the problem.
AFAIK ipchains can not redirect to an other port on an other machine. But there is other software you can use to have the expected effects: rinetd. Its on CD, works seamless, only point of critic in my opinion: you'll have to specify IP-addresses in the config-file. DNS-Names are not resolved.
Another option (at least for 2.2 kernels) should be:
ipmasqadm portfw - Port-forwarding This module is able to forward to-firewall packets to internal hosts, based on address and port specification.
This wont work because portfw just can forward a port from one machine to another. So the traffic that you want to forward must have your host as destination. (eg having a Webserver in the DMZ with a private IP and do portforwarding from the Firewall with real IP to the Webserver) For a transparent proxy, you will have to redirect traffic that is normally routet through your Gateway. I guess this isn't called portforwarding. It's a combination between Packet filtering and policy based Routing: Mark your http packets on your Internet Gateway(with ipchains -m) and insert a routing rule (with iproute 2) wich routes this packets through your machine with the transparent proxy. On your machine with the transparent proxy, you can redirect the traffic via ipchains. AFAIK, there is a section about this in the Advanced Routing Howto.
see: http://www.monmouth.demon.co.uk/ipsubs/portforwarding.html
f.ex: ipmasqadm portfw -a -P tcp -L your.ext.ip smtp -R your.smtp.host smtp
You still need ipchains to reverse masquerade: ipchains -I forward -p tcp -s your.smtp.host smtp -j MASQ
Sven
[some parts snipped] Sven Schultheiß schrieb:
Chris Drauch schrieb:
tschweikle@fiducia.de schrieb:
So I need to redirect to a port on another machine! This is not possible directly with ipchains, isnt' it? Redirecting to another port on the same machine is not the problem.
Another option (at least for 2.2 kernels) should be:
ipmasqadm portfw - Port-forwarding This module is able to forward to-firewall packets to internal hosts, based on address and port specification.
This wont work because portfw just can forward a port from one machine to another. So the traffic that you want to forward must have your host as destination. (eg having a Webserver in the DMZ with a private IP and do portforwarding from the Firewall with real IP to the Webserver) For a transparent proxy, you will have to redirect traffic that is normally routet through your Gateway. I guess this isn't called portforwarding.
Sorry Sven, but it seems that you have not understood the complete picture. Portforwarding is exactly what I have written about. Please read again the docs and the initial question; If a packet is already addressed f.ex. DMZ.IP/http you just would need correct routes - nothing more. But the inital post was asking about "redirect to a port on another machine!". --cdr
participants (3)
-
Chris Drauch -
Sven Schultheiß -
tschweikle@fiducia.de