[ previous ] [ next ] [ threads ]
 
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  Chris Buechler <cbuechler at gmail dot com>, Thomas =?iso-8859-1?q?Kolst=F8?= <thomas at kolsto dot no>, Marian Adelin STOICESCU <marian at wsc dot ro>
 Subject:  Re: Transparent proxi and NAT server IP addresses
 Date:  Wed, 9 Feb 2005 00:39:55 -0500
> Chris Buechler wrote:
> 
>>On Mon, 6 Dec 2004 15:26:53 +0200, Marian Adelin STOICESCU
>><marian at wsc dot ro> wrote:
>>  
>>
>>>2. It's posibile to use ipfw fwd.. on exec.php to put a proxy server pc
>>>to work transparently.. or the problem of transparent proxy it's on work
>>>and i must wait for a m0n0wall betas
>>>
>>>    
>>>
>>
>>I know that'll work with ipfw, not sure if it will in m0n0wall's
>>specific setup.  It's worth a shot, I'd be interested in knowing if it
>>works or not.  Worst that could happen is what you put in exec.php
>>could take down the firewall, but then a reboot will remove all that
>>stuff.  If you get it working, see the FAQ on hidden config.xml
>>options on how to put them in <shellcmd> to get them to load at every
>>boot.
>>  
>>
> Not the scenario you describe, but maybe a solution for you is to use
> the NAT Inbound rules on a OPT interface to do the redirect.
> It does not use ipfw but rather the ipnat rdr statement creating a rule
> like; "ipnat rdr ti0 0.0.0.0/0 port 80 -> N.N.N.N port 3128 tcp"
> (N.N.N.N being my squid proxy located in the DMZ network.)

Chris, for the FAQ: I saw this post and since I've been wanting to get
a transparent port 80 redirect working for a project at work I thought
I'd give it a shot. It works! Quite well, too!

My squid proxy had to be tweaked for transparent proxy duty, but that's
a given and I won't go into squid config details here.

I enabled this on my OPT1/WLAN interface. Here are the relevant parts
of my m0n0wall 1.2b3 config:

 <nat>
  <rule>
   <protocol>tcp</protocol>
   <external-port>80</external-port>
   <target>216.64.96.9</target>
   <local-port>8965</local-port>
   <interface>opt1</interface>
   <descr>redirect port 80 to david.wingnet.net:8965</descr>
  </rule>
 </nat>

 <filter>
  <rule>
   <type>pass</type>
   <interface>opt1</interface>
   <protocol>tcp</protocol>
   <source>
    <any/>
   </source>
   <destination>
    <address>216.64.96.9</address>
    <port>8965</port>
   </destination>
   <descr>NAT redirect port 80 to david.wingnet.net:8965</descr>
  </rule>
 </filter>

I can provide screen shots if you'd like. Just tell me what you
need.

It's too bad we can't do this from the webGUI on the LAN interface.
I wonder what the best solution to that is?

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net