Shorewall users - Oct 2006 - Transparent remote Proxy via SSH-Tunnel (should be trivial?)

Hey,

I wrestled quite a bit with shorewall (version 3.0.4) lately to get
something to work which I expected to be fairly trivial. Most likely
it really is but I just can''t figure it out..

Consider the following scenario:
All HTTP(S) Traffic from a local machine should be routed through a
SSH tunnel to a remote (squid) proxy. The SSH Tunnel locally listens
on port 3128. That''s also the port on which everything ends up on the
remote machine (shouldn''t matter though?!). The setup works as long as
I configure client programs manually to use this proxy
(localhost:3128) but I''d love to have a transparent proxy (i.e. the
clients don''t know anything about it).

I thought it was just a matter of redirecting any outgoing request to
port 80 resp. 443 to 127.0.0.1:3128 but either that''s not the way to
go or I am not able to set those redirects up properly :)

I managed to redirect the request to the remote proxy (via SSH
tunnel), however the original hostname seems to get lost along the way
since I only receive errors from the proxy. The squid logs show
something like
1160238209.322    342 127.0.0.1 TCP_DENIED/400 1574 GET
/rss/newsonline_world_edition/front_page/rss.xml - NONE/- text/html
as opposed to the expected
1160237922.254    362 127.0.0.1 TCP_REFRESH_MISS/200 16428 GET
http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml
- DIRECT/212.58.226.8 application/xml

My shorewall rules file looks like that:
ACCEPT          $FW             net:remote-host       tcp     22
        # Redirect HTTP requests to local tunnel to proxy
REDIRECT        $FW             3128     tcp      80
ACCEPT          $FW             net:127.0.0.1        tcp     3128

The policy file arranges for everything besides $FW to $FW to be dropped.

Yes, my understanding of shorewall and iptables unfortunately is
pretty limited. I hope that somebody here can give me a nod into the
right direction, surely there must be a set up like this out there?!

Regards,
Niels

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

> Hey,
>
> I wrestled quite a bit with shorewall (version 3.0.4) lately to get
> something to work which I expected to be fairly trivial. Most likely
> it really is but I just can''t figure it out..
>
> Consider the following scenario:
> All HTTP(S) Traffic from a local machine should be routed through a
> SSH tunnel to a remote (squid) proxy. The SSH Tunnel locally listens
> on port 3128. That''s also the port on which everything ends up on
the
> remote machine (shouldn''t matter though?!). The setup works as
long as
> I configure client programs manually to use this proxy
> (localhost:3128) but I''d love to have a transparent proxy (i.e.
the
> clients don''t know anything about it).
>
> I thought it was just a matter of redirecting any outgoing request to
> port 80 resp. 443 to 127.0.0.1:3128 but either that''s not the way
to
> go or I am not able to set those redirects up properly :)
>
> I managed to redirect the request to the remote proxy (via SSH
> tunnel), however the original hostname seems to get lost along the way
> since I only receive errors from the proxy. The squid logs show
> something like
> 1160238209.322    342 127.0.0.1 TCP_DENIED/400 1574 GET
> /rss/newsonline_world_edition/front_page/rss.xml - NONE/- text/html
> as opposed to the expected
> 1160237922.254    362 127.0.0.1 TCP_REFRESH_MISS/200 16428 GET
> http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml
> - DIRECT/212.58.226.8 application/xml
>
> My shorewall rules file looks like that:
> ACCEPT          $FW             net:remote-host       tcp     22
>         # Redirect HTTP requests to local tunnel to proxy
> REDIRECT        $FW             3128     tcp      80
> ACCEPT          $FW             net:127.0.0.1        tcp     3128
>
> The policy file arranges for everything besides $FW to $FW to be dropped.
>
> Yes, my understanding of shorewall and iptables unfortunately is
> pretty limited. I hope that somebody here can give me a nod into the
> right direction, surely there must be a set up like this out there?!
Did you configure your Squid to act as a transparent proxy? Did you read
http://www.shorewall.net/Shorewall_Squid_Usage.html and
http://www.tldp.org/HOWTO/TransparentProxy.html?

Simon

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Sun, Oct 08, 2006 at 02:27:13AM +1000, Niels Ganser
wrote:
> Hey,
> 
> I wrestled quite a bit with shorewall (version 3.0.4) lately to get
> something to work which I expected to be fairly trivial. Most likely
> it really is but I just can''t figure it out..
> 
> Consider the following scenario:
> All HTTP(S) Traffic from a local machine should be routed through a
> SSH tunnel to a remote (squid) proxy. The SSH Tunnel locally listens
> on port 3128. That''s also the port on which everything ends up on
the
> remote machine (shouldn''t matter though?!). The setup works as
long as
> I configure client programs manually to use this proxy
> (localhost:3128) but I''d love to have a transparent proxy (i.e.
the
> clients don''t know anything about it).
> 
> I thought it was just a matter of redirecting any outgoing request to
> port 80 resp. 443 to 127.0.0.1:3128 but either that''s not the way
to
> go or I am not able to set those redirects up properly :)
> 
> I managed to redirect the request to the remote proxy (via SSH
> tunnel), however the original hostname seems to get lost along the way
> since I only receive errors from the proxy. The squid logs show
> something like
> 1160238209.322    342 127.0.0.1 TCP_DENIED/400 1574 GET
> /rss/newsonline_world_edition/front_page/rss.xml - NONE/- text/html
> as opposed to the expected
> 1160237922.254    362 127.0.0.1 TCP_REFRESH_MISS/200 16428 GET
> http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml
> - DIRECT/212.58.226.8 application/xml
> 
I''m not sure what you are trying to accomplish.  However, I did want to
give you some food for thought.  Any https traffic cannot be
transparently proxied.  Think about it for a moment.  Everything in the
https request, except for the IPs and port numbers is encrypted.  You
want the user to setup proxies explicitly.  If not, what is to stop
anyone along the way from proxying your SSL traffic.  If that is the
case, then what good it SSL?

Regards,

-Roberto

-- 
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Thanks for the pointers, Simon,
> Did you configure your Squid to act as a transparent proxy? Did you read
> http://www.shorewall.net/Shorewall_Squid_Usage.html and
> http://www.tldp.org/HOWTO/TransparentProxy.html?
I read both documents but somehow overlooked the httpd_accel_host
setting. Apparently I concentrated too much on the Shorewall part
whereas setting the former to virtual just did the trick :)

Thanks again,
Niels

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Roberto,
> I''m not sure what you are trying to accomplish.  However, I did
want to
> give you some food for thought.  Any https traffic cannot be
> transparently proxied.
You are of course right. Thank you for pointing it out to me before I
go mad trying to get that to work in the middle of some lonely,
coffee-drenched night.

Regards,
Niels

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV