[ previous ] [ next ] [ threads ]
 
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] RE: [m0n0wall] Transparent HTTP proxy
 Date:  Mon, 14 Feb 2005 11:21:35 -0500
On Saturday 12 February 2005 4:58 pm, Frans King wrote:
> 
> > -----Original Message-----
> > From: Frans King [mailto:frans dot king at f333 dot net]
> > Sent: 12 February 2005 19:39
> > To: m0n0wall at lists dot m0n0 dot ch
> > Cc: m0n0wall dash dev at lists dot m0n0 dot ch
> > Subject: [m0n0wall] Transparent HTTP proxy
> > 
> > I read in the m0n0wall documentation that transparent proxying is not
> > supported because of the issue of figuring out what the actual HTTP
> > request
> > is. I have pretty much the same situation as described here
> > http://m0n0.ch/wall/list/?action=show_msg&actionargs%5B%5D=106&actionargs%
> > 5B
> > %5D=46:
> > 
> > WAN
> > |
> > |
> > M0n0-----DMZ (proxy server = 10.0.1.2)
> > |
> > |
> > |
> > LAN (clients - 10.0.0.0/28)
> > 
> > The idea is to have HTTP traffic forced through the proxy server which is
> > in
> > fact possible with m0n0wall and squid under linux.
> > 
> > I followed the squid docs on transparent proxies
> > (http://www.squid-cache.org/Doc/FAQ/FAQ-17.html) adding these lines:
> > 
> > http_port 8080
> > httpd_accel_host virtual
> > httpd_accel_port 80
> > httpd_accel_with_proxy  on
> > httpd_accel_uses_host_header on
> > 
> > to my squid.conf so that squid recognizes hijacked connections.
> > 
> > Then I added a redirect rule in m0n0wall via exec.php:
> > 
> > cat "rdr rl0 0/0 port http -> 10.0.1.2 port 3128" > rules
> > ipnat -f rules
> > 
> > And low and behold any traffic on port 80 going into my LAN interface is
> > redirected to the squid proxy.
> > 
> > Obviously this will not work for situations where the proxy server resides
> > on the LAN interface but with some tweaking of the redirect rule it should
> > be possible.
> > 
> > Also I don't know about other proxy servers and whether they can intercept
> > hijacked connections.
> > 
> > Regards,
> > 
> > Frans
> > 
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> I may also investigate tproxy (a userland redirector) but I'm not sure if
> it's required.

I did the same thing. It can be configured via the webGUI for OPT
interfaces (LAN requires a manual editing and upload of your config.xml).
However, the disadvantage is that since it's NAT, it doesn't work on
bridges. Another disadvantage is that since it's merely a port redirection,
you can't log HTTP traffic. I think the correct way to solve this problem
is to bloat m0n0wall a bit and install an HTTP proxy server of some sort.

Here's my post describing the ipnat setup:
    http://tinyurl.com/4y2ou

And here is the FAQ describing the problem I ran into with NAT and my bridge:
    http://www.m0n0.ch/wall/docbook/faq-bridge.html


-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net