[ previous ] [ next ] [ threads ]
 
 From:  "Frans King" <frans dot king at f333 dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Cc:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Transparent HTTP proxy
 Date:  Sat, 12 Feb 2005 19:38:55 -0000
I read in the m0n0wall documentation that transparent proxying is not
supported because of the issue of figuring out what the actual HTTP request
is. I have pretty much the same situation as described here
http://m0n0.ch/wall/list/?action=show_msg&actionargs%5B%5D=106&actionargs%5B
%5D=46:

WAN
|
|
M0n0-----DMZ (proxy server = 10.0.1.2)
|
|
|
LAN (clients - 10.0.0.0/28)

The idea is to have HTTP traffic forced through the proxy server which is in
fact possible with m0n0wall and squid under linux.

I followed the squid docs on transparent proxies
(http://www.squid-cache.org/Doc/FAQ/FAQ-17.html) adding these lines:

http_port 8080
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy  on
httpd_accel_uses_host_header on

to my squid.conf so that squid recognizes hijacked connections.

Then I added a redirect rule in m0n0wall via exec.php:

cat "rdr rl0 0/0 port http -> 10.0.1.2 port 3128" > rules
ipnat -f rules

And low and behold any traffic on port 80 going into my LAN interface is
redirected to the squid proxy.

Obviously this will not work for situations where the proxy server resides
on the LAN interface but with some tweaking of the redirect rule it should
be possible.

Also I don't know about other proxy servers and whether they can intercept
hijacked connections.

Regards,

Frans