Find the answer to your Linux question:
Results 1 to 6 of 6
I'm running DD-WRT on a Linksys WRT-160N router. I'm using iptables to create a transparent proxy, passing all port 80 traffic to another box running Squid. It's working fine, except ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2009
    Posts
    4

    source address problem using transparent proxy


    I'm running DD-WRT on a Linksys WRT-160N router. I'm using iptables to create a transparent proxy, passing all port 80 traffic to another box running Squid. It's working fine, except that when I look at my Squid logs (access.log), the source address of all the traffic is the Linksys router, and not the actual originating client. My iptables rules are copied below. Am I doing something wrong? Any help appreciated. Thanks.

    iptables -t nat -A PREROUTING -i br0 -s 192.168.101.0/24 -d 192.168.101.0/24 -p tcp --dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -i br0 -s ! 192.168.101.3 -p tcp --dport 80 -j DNAT --to 192.168.101.3:3128
    iptables -t nat -A POSTROUTING -o br0 -s 192.168.101.0/24 -p tcp -d 192.168.101.3 -j SNAT --to 192.168.101.1
    iptables -t filter -I FORWARD -s 192.168.101.0/24 -d 192.168.101.3 -i br0 -o br0 -p tcp --dport 3128 -j ACCEPT

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    What does your entire firewall rules look like?

    don't understand why you are doing this;

    Code:
    iptables -t nat -A PREROUTING -i br0 -s 192.168.101.0/24 -d 192.168.101.0/24 -p tcp --dport 80 -j ACCEPT
    Also don't understand why you are doing this either;
    Code:
    iptables -t nat -A POSTROUTING -o br0 -s 192.168.101.0/24 -p tcp -d 192.168.101.3 -j SNAT --to 192.168.101.1

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Linux Newbie
    Join Date
    Aug 2009
    Location
    Mumbai, India
    Posts
    113
    Hi,

    The SNAT rule for IP tables replaces the original IP in the packet with the new SNAT packet. IMHO there is no way that the original IP is sort of encapsulated in the data packet and fetched later on.

    Other option that might work ( though I've not tried it out ), would be to use the mangle table on the Linksys router, mark packets and re-route it to the squid server. Something on the lines of the following:
    On router
    Code:
    iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s squid-box
    iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
    ip rule add fwmark 3 table 2
    ip route add default via squid-box dev eth1 table 2
    On Squid server:
    Code:
    iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    Your would need to create second routing table as well for the ip route / ip rule command to work.

    --Syd

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Oct 2009
    Posts
    4
    I haven't yet tried anything with regard to the 'mangle' suggestion, but I have played around a bit more and gotten things working with just this one line:

    iptables -t nat -A PREROUTING -i br0 -s ! 192.168.1.3 -p tcp --dport 80 -j DNAT --to 192.168.1.3:3128

    So if the source is address is anything other than 1.3, forward all port 80 traffic to 1.3 on port 3128. I'm not doing anything with source address translation, yet the squid access.log (on 1.3) shows the linksys router (iptables box/ 1.1) as the source address. Here's a snippet from the squid access.log:

    1259673516.405 36 192.168.1.1 TCP_MISS/200 394 HEAD <url here that linuxforums.org won't allow in my post> - DIRECT/208.111.185.136 application/octet-stream

    Something going on with iptables and/or dd-wrt natively that I clearly don't understand. Any insight appreciated.

  6. #5
    Just Joined!
    Join Date
    Oct 2009
    Posts
    4
    iptables rule output if it's of any value. Stuff going on under the hood done automatically with dd-wrt that I'm not doing. The only command I've added is the one in the previous post.

    root@linksys:~# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    DROP udp -- anywhere anywhere udp dpt:route
    DROP udp -- anywhere anywhere udp dpt:route
    ACCEPT udp -- anywhere anywhere udp dpt:route
    DROP icmp -- anywhere anywhere
    DROP igmp -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere state NEW
    logaccept 0 -- anywhere anywhere state NEW
    DROP 0 -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT gre -- 192.168.1.0/24 anywhere
    ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:1723
    ACCEPT 0 -- anywhere anywhere
    TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    lan2wan 0 -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere 192.168.1.3 tcp dpt:ssh
    TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0
    trigger_out 0 -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere state NEW
    DROP 0 -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain advgrp_1 (0 references)
    target prot opt source destination

    Chain advgrp_10 (0 references)
    target prot opt source destination

    Chain advgrp_2 (0 references)
    target prot opt source destination

    Chain advgrp_3 (0 references)
    target prot opt source destination

    Chain advgrp_4 (0 references)
    target prot opt source destination

    Chain advgrp_5 (0 references)
    target prot opt source destination

    Chain advgrp_6 (0 references)
    target prot opt source destination

    Chain advgrp_7 (0 references)
    target prot opt source destination

    Chain advgrp_8 (0 references)
    target prot opt source destination

    Chain advgrp_9 (0 references)
    target prot opt source destination

    Chain grp_1 (1 references)
    target prot opt source destination

    Chain grp_10 (0 references)
    target prot opt source destination

    Chain grp_2 (0 references)
    target prot opt source destination

    Chain grp_3 (0 references)
    target prot opt source destination

    Chain grp_4 (0 references)
    target prot opt source destination

    Chain grp_5 (0 references)
    target prot opt source destination

    Chain grp_6 (0 references)
    target prot opt source destination

    Chain grp_7 (0 references)
    target prot opt source destination

    Chain grp_8 (0 references)
    target prot opt source destination

    Chain grp_9 (0 references)
    target prot opt source destination

    Chain lan2wan (1 references)
    target prot opt source destination
    grp_1 0 -- anywhere anywhere

    Chain logaccept (1 references)
    target prot opt source destination
    ACCEPT 0 -- anywhere anywhere

    Chain logdrop (0 references)
    target prot opt source destination
    LOG 0 -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
    LOG 0 -- anywhere anywhere state INVALID LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
    DROP 0 -- anywhere anywhere

    Chain logreject (0 references)
    target prot opt source destination
    LOG 0 -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `WEBDROP '
    REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset

    Chain trigger_out (1 references)
    target prot opt source destination
    root@linksys:~#

    root@linksys:~# iptables -L -t nat
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DNAT icmp -- anywhere adsl-178-20-245.chs.bellsouth.net to:192.168.1.1
    DNAT tcp -- anywhere adsl-178-20-245.chs.bellsouth.net tcp dpt:ssh to:192.168.1.3:22
    TRIGGER 0 -- anywhere adsl-178-20-245.chs.bellsouth.net TRIGGER type:dnat match:0 relate:0
    DNAT tcp -- !192.168.1.3 anywhere tcp dpt:www to:192.168.1.3:3128

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    SNAT 0 -- anywhere anywhere to:74.178.20.245
    RETURN 0 -- anywhere anywhere PKTTYPE = broadcast
    MASQUERADE 0 -- 192.168.1.0/24 192.168.1.0/24

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

  7. #6
    Just Joined!
    Join Date
    Oct 2009
    Posts
    4
    Found this at linuxdevcenter.com. Seems to describe my problem. Any help with crafting the iptables rules to support what it's describing here appreciated.

    "You can have proxies which aren't on the intercepting machine, but these are more awkward. First, the source address of the request is no longer available to the proxy -- it's lost in the process of redirection. You can solve this by using destination NAT (Network Address Translation), but you then have to route the proxy traffic back through the translating server. If you attempt to have the proxy pass the HTTP response back directly, the client will be confused and (quite correctly) refuse to speak to the proxy. The proxy is not the machine the client thinks it's talking to -- the client thinks it's making the request of the destination web server. The proxy must route back through the interceptor, so it can translate the addresses back, and let the client continue to believe it's speaking directly to the web server."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •