Frans King wrote:
> I read in the m0n0wall documentation that transparent proxying is not
> supported because of the issue of figuring out what the actual HTTP
> request is. I have pretty much the same situation as described here
> M0n0-----DMZ (proxy server = 10.0.1.2)
> LAN (clients - 10.0.0.0/28)
> The idea is to have HTTP traffic forced through the proxy server which is
> in fact possible with m0n0wall and squid under linux.
> I followed the squid docs on transparent proxies
> (http://www.squid-cache.org/Doc/FAQ/FAQ-17.html) adding these lines:
> http_port 8080
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
> to my squid.conf so that squid recognizes hijacked connections.
> Then I added a redirect rule in m0n0wall via exec.php:
> cat "rdr rl0 0/0 port http -> 10.0.1.2 port 3128" > rules
> ipnat -f rules
> And low and behold any traffic on port 80 going into my LAN interface is
> redirected to the squid proxy.
> Obviously this will not work for situations where the proxy server resides
> on the LAN interface but with some tweaking of the redirect rule it should
> be possible.
> Also I don't know about other proxy servers and whether they can intercept
> hijacked connections.
I did the same thing. It can be configured via the webGUI for OPT
interfaces (LAN requires a manual editing and upload of your config.xml).
However, the disadvantage is that since it's NAT, it doesn't work on
bridges. Another disadvantage is that since it's merely a port redirection,
you can't log HTTP traffic. I think the correct way to solve this problem
is to bloat m0n0wall a bit and install an HTTP proxy server of some sort.
Here's my post describing the ipnat setup:
And here is the FAQ describing the problem I ran into with NAT and my bridge:
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)