Shorewall users - Oct 2003 - Shorewall prerouting to a manual proxy

Hallo,

I got a problem (I think it''s not a Problem, I am just to stupid to
manage
it)

Iwant my Server (eth1: addr:10.0.123.1, Local Zone), eth0 is connectet to 
the Student-Network (addr:172.16.129.106 Mask:255.255.248.0 gateway: 
172.16.128.1, Net Zone), to forward all packages from port 80 on local 
Zone to www-cache.uni-halle.de:3128 (172.16.128.1:3128) because I have to 
use this proxy and dont''t want to reconfigure my Laptop (Opera and
other
Progs)to use this proxy when I come home from Work. I think what I want my 
Server to do is to act as a transparentproxy for me.

How can I do that

THX for your help.

I tried to find a solution on shorewall.com but without success.
Currently I am masking eth1 an allow all outbound traf.

mask
#INTERFACE              SUBNET          ADDRESS
eth0                    eth1

policy
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
loc             net             ACCEPT
loc             $FW             ACCEPT          -
$FW             all             ACCEPT          -
all             all             REJECT          info
net             all             DROP            info

rules
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
#                                               PORT    PORT(S)    DEST
ACCEPT  net             $FW             tcp     22      -
ACCEPT  net:172.16.133.82       $FW     udp     137:139
ACCEPT  net:172.16.133.82       $FW     tcp     137,139,445
ACCEPT  net:172.16.133.82       $FW     udp     1024:   137
ACCEPT  net:172.16.133.82       $FW     tcp     21      -
ACCEPT  $FW     net:172.16.133.82       udp     137:139
ACCEPT  $FW     net:172.16.133.82       tcp     137,139,445
ACCEPT  $FW     net:172.16.133.82       udp     1024:   137
ACCEPT  net             $FW             tcp     80,443  -


CU

Tschau
?
-->-> Bjoern <-<--?

-- 
Using M2, Opera''s revolutionary e-mail client: http://www.opera.com/m2/
-->Running on Gentoo Linux<--

Hallo,

I got a problem (I think it''s not a Problem, I am just to stupid to
manage
it)

Iwant my Server (eth1: addr:10.0.123.1, Local Zone), eth0 is connectet to 
the Student-Network (addr:172.16.129.106 Mask:255.255.248.0 gateway: 
172.16.128.1, Net Zone), to forward all packages from port 80 on local 
Zone to www-cache.uni-halle.de:3128 (172.16.128.1:3128) because I have to 
use this proxy and dont''t want to reconfigure my Laptop (Opera and
other
Progs)to use this proxy when I come home from Work. I think what I want my 
Server to do is to act as a transparentproxy for me.

How can I do that

THX for your help.

I tried to find a solution on shorewall.com but without success.
Currently I am masking eth1 an allow all outbound traf.

mask
#INTERFACE              SUBNET          ADDRESS
eth0                    eth1

policy
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
loc             net             ACCEPT
loc             $FW             ACCEPT          -
$FW             all             ACCEPT          -
all             all             REJECT          info
net             all             DROP            info

rules
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
#                                               PORT    PORT(S)    DEST
ACCEPT  net             $FW             tcp     22      -
ACCEPT  net:172.16.133.82       $FW     udp     137:139
ACCEPT  net:172.16.133.82       $FW     tcp     137,139,445
ACCEPT  net:172.16.133.82       $FW     udp     1024:   137
ACCEPT  net:172.16.133.82       $FW     tcp     21      -
ACCEPT  $FW     net:172.16.133.82       udp     137:139
ACCEPT  $FW     net:172.16.133.82       tcp     137,139,445
ACCEPT  $FW     net:172.16.133.82       udp     1024:   137
ACCEPT  net             $FW             tcp     80,443  -


CU

Tschau
?
-->-> Bjoern <-<--?

-- 
Using M2, Opera''s revolutionary e-mail client: http://www.opera.com/m2/
-->Running on Gentoo Linux<--

On Thu, 30 Oct 2003, Jean Luc wrote:
> Hallo,
>
> I got a problem (I think it''s not a Problem, I am just to stupid
to manage
> it)
>
> Iwant my Server (eth1: addr:10.0.123.1, Local Zone), eth0 is connectet to
> the Student-Network (addr:172.16.129.106 Mask:255.255.248.0 gateway:
> 172.16.128.1, Net Zone), to forward all packages from port 80 on local
> Zone to www-cache.uni-halle.de:3128 (172.16.128.1:3128) because I have to
> use this proxy and dont''t want to reconfigure my Laptop (Opera and
other
> Progs)to use this proxy when I come home from Work. I think what I want my
> Server to do is to act as a transparentproxy for me.
>
> How can I do that
>
You do it basically like

	http://shorewall.net/Shorewall_Squid_Usage.html#DMZ

with ''dmz'' replaced by ''net''. You of course
don''t have to include any rule
to allow the proxy access to the internet.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2003-10-29 at 16:30, Tom Eastep wrote:
> On Thu, 30 Oct 2003, Jean Luc wrote:
> 
> > Hallo,
> >
> > I got a problem (I think it''s not a Problem, I am just to
stupid to manage
> > it)
> >
> > Iwant my Server (eth1: addr:10.0.123.1, Local Zone), eth0 is connectet
to
> > the Student-Network (addr:172.16.129.106 Mask:255.255.248.0 gateway:
> > 172.16.128.1, Net Zone), to forward all packages from port 80 on local
> > Zone to www-cache.uni-halle.de:3128 (172.16.128.1:3128) because I have
to
> > use this proxy and dont''t want to reconfigure my Laptop
(Opera and other
> > Progs)to use this proxy when I come home from Work. I think what I
want my
> > Server to do is to act as a transparentproxy for me.
> >
> > How can I do that
> >
> 
> You do it basically like
> 
> 	http://shorewall.net/Shorewall_Squid_Usage.html#DMZ
> 
> with ''dmz'' replaced by ''net''. You of
course don''t have to include any rule
> to allow the proxy access to the internet.
I realized as I was waking up this morning that this was bad advise
which would only work if 172.16.128.1 was acting as a *transparent*
proxy. 

You might try the following:

DNAT	loc	net:172.16.128.1:3128	tcp	80	-	!172.16.128.0/27

I don''t know how well this will work because the browser won''t
know that
it is connected to a proxy.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Thu, 30 Oct 2003 07:12:36 -0800, Tom Eastep <teastep@shorewall.net> 
wrote:
> On Wed, 2003-10-29 at 16:30, Tom Eastep wrote:
>> On Thu, 30 Oct 2003, Jean Luc wrote:
>>
>> > Hallo,
>> >
>> > I got a problem (I think it''s not a Problem, I am just to
stupid to
>> manage
>> > it)
>> >
>> > Iwant my Server (eth1: addr:10.0.123.1, Local Zone), eth0 is 
>> connectet to
>> > the Student-Network (addr:172.16.129.106 Mask:255.255.248.0
gateway:
>> > 172.16.128.1, Net Zone), to forward all packages from port 80 on
local
>> > Zone to www-cache.uni-halle.de:3128 (172.16.128.1:3128) because I 
>> have to
>> > use this proxy and dont''t want to reconfigure my Laptop
(Opera and
>> other
>> > Progs)to use this proxy when I come home from Work. I think what I
>> want my
>> > Server to do is to act as a transparentproxy for me.
>> >
>> > How can I do that
>> >
>>
>> You do it basically like
>>
>> 	http://shorewall.net/Shorewall_Squid_Usage.html#DMZ
>>
>> with ''dmz'' replaced by ''net''. You
of course don''t have to include any
>> rule
>> to allow the proxy access to the internet.
>
> I realized as I was waking up this morning that this was bad advise
> which would only work if 172.16.128.1 was acting as a *transparent*
> proxy.
>
> You might try the following:
>
> DNAT	loc	net:172.16.128.1:3128	tcp	80	-	!172.16.128.0/27
>
> I don''t know how well this will work because the browser
won''t know that
> it is connected to a proxy.
>
> -Tom


Is there a possibillity not to DNAT packets directed to 10.0.123.1 ( for 
example a request to http://10.0.123.1 or http://10.0.123.1:1400

Thans for your help



-- 
Using M2, Opera''s revolutionary e-mail client: http://www.opera.com/m2/
-->Running on Gentoo Linux<--

On Fri, 2003-10-31 at 07:16, Jean Luc wrote:
> >
> > You might try the following:
> >
> > DNAT	loc	net:172.16.128.1:3128	tcp	80	-	!172.16.128.0/27
> >
> > I don''t know how well this will work because the browser
won''t know that
> > it is connected to a proxy.
> >
> > -Tom
> 
> 
> 
> Is there a possibillity not to DNAT packets directed to 10.0.123.1 ( for 
> example a request to http://10.0.123.1 or http://10.0.123.1:1400
The rule isn''t DNATing port 1400!!

You can exclude 10.0.123.1:80 from DNAT by simply adding it to the list
in the last column:

DNAT	loc	net:172.16.128.1:3128	tcp	80	-	!172.16.128.0/27,10.0.123.1

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 31 Oct 2003 07:22:30 -0800, Tom Eastep <teastep@shorewall.net> 
wrote:
> On Fri, 2003-10-31 at 07:16, Jean Luc wrote:
>
>> >
>> > You might try the following:
>> >
>> > DNAT	loc	net:172.16.128.1:3128	tcp	80	-	!172.16.128.0/27
>> >
>> > I don''t know how well this will work because the browser
won''t know
>> that
>> > it is connected to a proxy.
>> >
>> > -Tom
>>
>>
>>
>> Is there a possibillity not to DNAT packets directed to 10.0.123.1 (
for
>> example a request to http://10.0.123.1 or http://10.0.123.1:1400
>
> The rule isn''t DNATing port 1400!!
>
> You can exclude 10.0.123.1:80 from DNAT by simply adding it to the list
> in the last column:
>
> DNAT	loc	net:172.16.128.1:3128	tcp	80	-	!172.16.128.0/27,10.0.123.1
>
> -Tom
Ah fine thx..

Now I just got one more problem:

Conecting to the domain http://xy.com/admin 
(XXX.XXX.XXX.XXX:23000/index.php) fails. The server tells me:

Not Found
The requested URL /mail/ was not found on this server.

Apache/1.3.28 Server at mail.* Port 80

If a connect via the Proxy, everything works


To test this I used the rule:

DNAT	loc	net:172.16.128.1:3128	tcp	-	-	!172.16.128.0/27

Any ideas

-- 
Using M2, Opera''s revolutionary e-mail client: http://www.opera.com/m2/
-->Running on Gentoo Linux<--

On Fri, 2003-10-31 at 08:26, Jean Luc wrote:
> 
> Ah fine thx..
> 
> Now I just got one more problem:
> 
> Conecting to the domain http://xy.com/admin
> (XXX.XXX.XXX.XXX:23000/index.php) fails. The server tells me:
> 
> Not Found
> The requested URL /mail/ was not found on this server.
> 
> Apache/1.3.28 Server at mail.* Port 80
> 
> If a connect via the Proxy, everything works
> 
> 
> To test this I used the rule:
> 
> DNAT	loc	net:172.16.128.1:3128	tcp	-	-	!172.16.128.0/27
> 
> Any ideas
Yes -- configure your browser to use the proxy.

This is the type of problem that I was afraid you would run into given
that the Proxy isn''t transparent and the browser doesn''t know
that it is
going through a proxy.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 31 Oct 2003 08:33:12 -0800, Tom Eastep <teastep@shorewall.net> 
wrote:
> On Fri, 2003-10-31 at 08:26, Jean Luc wrote:
>
>>
>> Ah fine thx..
>>
>> Now I just got one more problem:
>>
>> Conecting to the domain http://xy.com/admin
>> (XXX.XXX.XXX.XXX:23000/index.php) fails. The server tells me:
>>
>> Not Found
>> The requested URL /mail/ was not found on this server.
>>
>> Apache/1.3.28 Server at mail.* Port 80
>>
>> If a connect via the Proxy, everything works
>>
>>
>> To test this I used the rule:
>>
>> DNAT	loc	net:172.16.128.1:3128	tcp	-	-	!172.16.128.0/27
>>
>> Any ideas
>
> Yes -- configure your browser to use the proxy.
>
> This is the type of problem that I was afraid you would run into given
> that the Proxy isn''t transparent and the browser doesn''t
know that it is
> going through a proxy.
>
> -Tom
Now I know the problem ... it''s not so important
So this problem just depends on the proxy of the university. And there is 
no way to ommit this proplem except making the proxy of the university 
transparent, is that correct ?

I am wondering why they don''t run squid transparent. Are there any 
disatvantages ?


-- 
Using M2, Opera''s revolutionary e-mail client: http://www.opera.com/m2/
-->Running on Gentoo Linux<--

On Fri, 2003-10-31 at 09:25, Jean Luc wrote:
> >
> > This is the type of problem that I was afraid you would run into given
> > that the Proxy isn''t transparent and the browser
doesn''t know that it is
> > going through a proxy.
> >
> > -Tom
> 
> Now I know the problem ... it''s not so important
> So this problem just depends on the proxy of the university. And there is 
> no way to ommit this proplem except making the proxy of the university 
> transparent, is that correct ?
> 
> I am wondering why they don''t run squid transparent. Are there any
> disatvantages ?
It''s harder to set up because you have to configure your gateway
routers
to redirect all port 80 traffic to the proxy (excluding traffic from the
proxy itself of course).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 2003-10-31 at 09:40, Tom Eastep wrote:
> > 
> > I am wondering why they don''t run squid transparent. Are
there any
> > disatvantages ?
> 
> It''s harder to set up because you have to configure your gateway
routers
> to redirect all port 80 traffic to the proxy (excluding traffic from the
> proxy itself of course).
> 
Note that this isn''t a requirement for running Squid transparently (In
fact, a transparent proxy can also be used manually) but it *is* a
requirement for being able to use the proxy transparently.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 31 Oct 2003 09:51:31 -0800, Tom Eastep <teastep@shorewall.net> 
wrote:
> On Fri, 2003-10-31 at 09:40, Tom Eastep wrote:
>
>> >
>> > I am wondering why they don''t run squid transparent. Are
there any
>> > disatvantages ?
>>
>> It''s harder to set up because you have to configure your
gateway routers
>> to redirect all port 80 traffic to the proxy (excluding traffic from
the
>> proxy itself of course).
>>
>
> Note that this isn''t a requirement for running Squid transparently
(In
> fact, a transparent proxy can also be used manually) but it *is* a
> requirement for being able to use the proxy transparently.
>
> -Tom
Ah, I understand.

So I am not able to ommit this problem. Thank anyway, the few sites using 
non-standard port I have to view with the proxy enabled in Opera.
I think I kan live with it :-)

Thanks again.

CU Bjoern

-- 
Using M2, Opera''s revolutionary e-mail client: http://www.opera.com/m2/
-->Running on Gentoo Linux<--