[ previous ] [ next ] [ threads ]
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Transparent HTTP proxy
 Date:  Mon, 14 Feb 2005 12:16:40 -0500
Frans King wrote:

> I read in the m0n0wall documentation that transparent proxying is not
> supported because of the issue of figuring out what the actual HTTP
> request is. I have pretty much the same situation as described here
> http://m0n0.ch/wall/list/?action=show_msg&actionargs%5B%5D=106&actionargs%5B
> %5D=46:
> |
> |
> M0n0-----DMZ (proxy server =
> |
> |
> |
> LAN (clients -
> The idea is to have HTTP traffic forced through the proxy server which is
> in fact possible with m0n0wall and squid under linux.
> I followed the squid docs on transparent proxies
> (http://www.squid-cache.org/Doc/FAQ/FAQ-17.html) adding these lines:
> http_port 8080
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy  on
> httpd_accel_uses_host_header on
> to my squid.conf so that squid recognizes hijacked connections.
> Then I added a redirect rule in m0n0wall via exec.php:
> cat "rdr rl0 0/0 port http -> port 3128" > rules
> ipnat -f rules
> And low and behold any traffic on port 80 going into my LAN interface is
> redirected to the squid proxy.
> Obviously this will not work for situations where the proxy server resides
> on the LAN interface but with some tweaking of the redirect rule it should
> be possible.
> Also I don't know about other proxy servers and whether they can intercept
> hijacked connections.

I did the same thing. It can be configured via the webGUI for OPT
interfaces (LAN requires a manual editing and upload of your config.xml).
However, the disadvantage is that since it's NAT, it doesn't work on
bridges. Another disadvantage is that since it's merely a port redirection,
you can't log HTTP traffic. I think the correct way to solve this problem
is to bloat m0n0wall a bit and install an HTTP proxy server of some sort.

Here's my post describing the ipnat setup:

And here is the FAQ describing the problem I ran into with NAT and my bridge:

Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)