Hallo, i got a little problem with redirection. The situation is: I want the redirect queries to port 80,443,21 and 20 to an proxy server. The users and the proxy are in the same network. The proxy doesn´t run on the the firewall. The proxy has address 192.89.12.231 and ist listen on port 8080. The Firewall has on the local side 192.89.12.234. So how can I redirect all queries to the proxy server accept queries from the proxy server. Greetings Richard *********************************************************************** Regionalverkehr Köln GmbH Richard Cochius Abt. EDV-Datenverarbeitung/Technik Theodor-Heuss-Ring 38-40 50668 Köln Telefon: (0221) - 16 37- 607 Telefax: (02 21) - 16 37- 226 Handy: 0160 - 8861366 mailto:richard.cochius@rvk.de> www.rvk.de <http://www.rvk.de> Die in dieser Nachricht enthaltenen Informationen sind vertraulich. Sie sind nur für den Adressaten bestimmt. Bitte benachrichtigen Sie den Absender, falls Sie nicht der beabsichtigte Empfänger sein sollten, und löschen Sie diese Nachricht umgehend aus Ihrem System. Aus Rechts- und Sicherheitsgründen sind die in dieser E-Mail und Ihren Anhängen gegebenen Information nicht rechtsverbindlich. Insbesondere gelten E-Mail oder Anhänge nicht als rechtsverbindliche Willenserklärungen. Vertragsabschlüsse oder einseitige Willenserklärungen erfolgen nur schriftlich. Beachten Sie bitte, dass jede Form der unautorisierten Nutzung, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhaltes dieser E-Mail nicht gestattet ist.
On Tue, 16 Jul 2002, Richard Cochius wrote:> Hallo, > > i got a little problem with redirection. > > The situation is: > > I want the redirect queries to port 80,443,21 and 20 to an proxy server. The > users and the proxy are in the same network. The proxy doesn´t run on the > the firewall. > The proxy has address 192.89.12.231 and ist listen on port 8080. The > Firewall has on the local side 192.89.12.234. > So how can I redirect all queries to the proxy server accept queries from > the proxy server. >DNAT loc:!192.89.12.231 loc:192.89.12.231 tcp 80 DNAT loc:!192.89.12.231 loc:192.89.12.231 tcp 443 ... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Tue, 16 Jul 2002, Tom Eastep wrote:> On Tue, 16 Jul 2002, Richard Cochius wrote: > > > Hallo, > > > > i got a little problem with redirection. > > > > The situation is: > > > > I want the redirect queries to port 80,443,21 and 20 to an proxy server. The > > users and the proxy are in the same network. The proxy doesn´t run on the > > the firewall. > > The proxy has address 192.89.12.231 and ist listen on port 8080. The > > Firewall has on the local side 192.89.12.234. > > So how can I redirect all queries to the proxy server accept queries from > > the proxy server. > > > > DNAT loc:!192.89.12.231 loc:192.89.12.231 tcp 80 > DNAT loc:!192.89.12.231 loc:192.89.12.231 tcp 443 > ... >That having been said, I seriously doubt that this will work the way you expect. Have a look at the "Linux Advanced Routing and Traffic Contron HOWTO" (http://www.lartc.org) for instructions on how to run a transparent proxy on a system other than the firewall. Also, what''t the point of redirecting port 20? -- port 20 is the source port in an outgoing connection. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep (16.7.2002 18:48):>On Tue, 16 Jul 2002, Tom Eastep wrote: > >> On Tue, 16 Jul 2002, Richard Cochius wrote: >> >> > Hallo, >> > >> > i got a little problem with redirection. >> > >> > The situation is: >> > >> > I want the redirect=20queries to port 80,443,21 and 20 to an proxy server.The>> > users and the proxy are in the same network. The proxy doesn=B4t run on the >> > the firewall. >> > The proxy has address 192.89.12.231 and ist listen on port 8080. The >> > Firewall has on the local side 192.89.12.234. >> > So how can I redirect all queries to the proxy server accept queries from >> > the proxy server. >> > >> >> DNAT loc:!192.89.12.231 loc:192.89.12.231 tcp 80 >> DNAT loc:!192.89.12.231 loc:192.89.12.231 tcp 443 >> ... >> > >That having been said, I seriously doubt that this will work the way you >expect.I''m sure it will not work.. They are in the same subnet ...> Have a look at the "Linux Advanced Routing and Traffic Contron >HOWTO" (http://www.lartc.org) for instructions on how to run a transparent >proxy on a system other than the firewall. > >Also, what''t the point of redirecting port 20=3F -- port 20 is the source >port in an outgoing connection. > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >AIM: tmeastep \ http://www.shorewall.net >ICQ: #60745924 \ teastep@shorewall.net > >=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://www.shorewall.net/mailman/listinfo/shorewall-users
On 16 Jul 2002, SHOREWALL TimeLord wrote:> Tom Eastep (16.7.2002 18:48): > >On Tue, 16 Jul 2002, Tom Eastep wrote: > > > >> On Tue, 16 Jul 2002, Richard Cochius wrote: > >> > >> > Hallo, > >> > > >> > i got a little problem with redirection. > >> > > >> > The situation is: > >> > > >> > I want the redirect queries to port 80,443,21 and 20 to an proxy server. > The > >> > users and the proxy are in the same network. The proxy doesn´t run on the > >> > the firewall. > >> > The proxy has address 192.89.12.231 and ist listen on port 8080. The > >> > Firewall has on the local side 192.89.12.234. > >> > So how can I redirect all queries to the proxy server accept queries from > >> > the proxy server. > >> > > >> > >> DNAT loc:!192.89.12.231 loc:192.89.12.231 tcp 80 > >> DNAT loc:!192.89.12.231 loc:192.89.12.231 tcp 443 > >> ... > >> > > > >That having been said, I seriously doubt that this will work the way you > >expect. > > > > > I''m sure it will not work.. They are in the same subnet ... >That redirection will work provided that "multi" is specified on the local interface (this is sort of a variation on FAQ #2). The problem is that I believe Squid relies on a special getsockopt() function that returns the original destination IP address. That address is only available on a local REDIRECT. It''s been a while since I read the LARTC HOWTO but I believe that the firewall needs to use policy routing and the system where SQUID is running needs to REDIRECT the ports. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep (16.7.2002 19:11):>> I''m sure it will not work.. They are in the same subnet ... >> > >That redirection will work provided that "multi" is specified on the local >interface (this is sort of a variation on FAQ #2). The problem is that I >believe Squid relies on a special getsockopt() function that returns the >original destination IP address. That address is only available on a local >REDIRECT. >Oh yep .. U R right Tom, sorry, my mistake .. http://lartc.org/howto/lartc.cookbook.squid.html>It''s been a while since I read the LARTC HOWTO but I believe that the >firewall needs to use policy routing and the system where SQUID is running >needs to REDIRECT the ports. > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >AIM: tmeastep \ http://www.shorewall.net >ICQ: #60745924 \ teastep@shorewall.net >
What was the final outcome of this? On July 16, 2002 01:18 pm, SHOREWALL TimeLord wrote:> Tom Eastep (16.7.2002 19:11): > >> I''m sure it will not work.. They are in the same subnet ... > > > >That redirection will work provided that "multi" is specified on the local > >interface (this is sort of a variation on FAQ #2). The problem is that I > >believe Squid relies on a special getsockopt() function that returns the > >original destination IP address. That address is only available on a local > >REDIRECT. > > Oh yep .. U R right Tom, sorry, my mistake .. > http://lartc.org/howto/lartc.cookbook.squid.html > > >It''s been a while since I read the LARTC HOWTO but I believe that the > >firewall needs to use policy routing and the system where SQUID is running > >needs to REDIRECT the ports. > > > >-Tom > >-- > >Tom Eastep \ Shorewall - iptables made easy > >AIM: tmeastep \ http://www.shorewall.net > >ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users--=20 Paul Slinski System Administrator Global IQX http://www.globaliqx.com/ pauls@globaliqx.com