HTTP Anti-Virus Proxy :: View topic - Transperent proxy problem

HTTP Anti-Virus Proxy http://havp.hege.li/forum/

Transperent proxy problem http://havp.hege.li/forum/viewtopic.php?f=3&t=72	Page 1 of 2

Author:	piyush [ 10 Apr 2006 15:12 ]
Post subject:	Transperent proxy problem
I have prob regarding transperent proxy. My havp config is as follow: client>>havp>>squid>>internet As i am having iptables on same machine i'm using following iptables configs. 1> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080 2> iptables -A INPUT -i eth1 -p tcp -s 10.10.136.253/8 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT Now as i use squid as parent proxy i've tried following configuration, as reply hits squid first 1> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080 2> iptables -A INPUT -i eth1 -p tcp -s 10.10.136.253/8 --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT but neither works, in more i'm getting invalid request error. [/b]

Author:	hege [ 10 Apr 2006 15:15 ]
Post subject:
If you get invalid request error, then I would assume your browser still has proxy set? TRANSPARENT should be true, and browser should not have any proxy set. Cheers, Henrik

Author:	piyush [ 10 Apr 2006 17:48 ]
Post subject:	Again probs
I've checked all the browser stuff and played with iptables also. I'm tracing the packets but the packets getting dropped. Any other way...as i have tried same thing with squid alone. --piyush--

Author:	Christian [ 10 Apr 2006 18:35 ]
Post subject:
I guess the iptables OUTPUT rule is missing.

Author:	hege [ 10 Apr 2006 18:40 ]
Post subject:
To be clear.. when are you getting the invalid request error? With or without proxy set in browser? I can't tell from your description if you have a network or HAVP configuration error. Cheers, Henrik

Author:	piyush [ 11 Apr 2006 15:01 ]
Post subject:	Transperent proxy problem
hello I'm getting that invalid request with browser setting enabled and that's obvious. But when i use squid alone with iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.22.33:3128 it's working fine transperently but the same thing work neither for HAVP alone nor for HAVP + squid. What should be my iptables output?

Author:	hege [ 11 Apr 2006 15:09 ]
Post subject:
There is nothing else you need than: iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080 Obviously you have something wrong with client<->server iptables setup if it doesn't work. See that both INPUT/OUTPUT is allowed to/from clients. I can't help you any more as I don't know your whole iptables setup. Cheers, Henrik

Author:	piyush [ 11 Apr 2006 17:15 ]
Post subject:	Transperent proxy problem
I'm using squid, iptables and HAVP on same machine with one ethernet card on my LAN. I've flushed my firewall and then added following ip tables rule.. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 which is the only rule in my iptables. I set TRANSPERENTPROXY to true and start HAVP then i test from other machine with default gateway to my machine and try to open webpage which is unsuccessful. Below is my ethereal output... 77 192.041702 10.10.136.47 -> 10.255.255.255 NBNS Name query NB WWW.WINAMP.COM<00> 78 192.790200 10.10.136.47 -> 10.255.255.255 NBNS Name query NB WWW.WINAMP.COM<00> 79 193.540168 10.10.136.47 -> 10.255.255.255 NBNS Name query NB WWW.WINAMP.COM<00> 80 194.170409 10.10.136.52 -> 10.255.255.255 SMB_NETLOGON SAM LOGON request from client 81 194.296885 10.10.136.47 -> 10.10.136.253 DNS Standard query A www.winamp.com 82 194.296939 10.10.136.253 -> 10.10.136.47 ICMP Destination unreachable (Port unreachable) 83 194.297205 10.10.136.47 -> 10.255.255.255 NBNS Name query NB WWW.WINAMP.COM<00> 84 195.040119 10.10.136.47 -> 10.255.255.255 NBNS Name query NB WWW.WINAMP.COM<00> 85 195.790080 10.10.136.47 -> 10.255.255.255 NBNS Name query NB WWW.WINAMP.COM<00> 86 197.040423 Executon_02:bd:2c -> RealtekS_21:8e:f8 ARP Who has 10.10.136.47? Tell 10.10.136.253 87 197.040506 RealtekS_21:8e:f8 -> Executon_02:bd:2c ARP 10.10.136.47 is at 00:e0:4c:21:8e:f8 where 10.10.136.253 is ip of squid,HAVP iptables machine and 10.10.136.47 is from where i test. I have tried both with squid as parent proxy and without. The strange thing is i can run squid in transperent mode alone with same setting. any way u can help

Author:	hege [ 11 Apr 2006 17:27 ]
Post subject:
So how is your INPUT/OUTPUT rules? # iptables -v -L Cheers, Henrik

Author:	piyush [ 12 Apr 2006 11:58 ]
Post subject:	Transperent proxy problem
hello This is output of , iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Now what should be my INPUT and OUTPUT rules ? I only want to add rules regarding HAVP as i get confused with these rules. --Piyush--

Author:	hege [ 12 Apr 2006 12:06 ]
Post subject:	Re: Transperent proxy problem
piyush wrote: Now what should be my INPUT and OUTPUT rules ? I only want to add rules regarding HAVP as i get confused with these rules. Are your INPUT and OUTPUT allowed by default? What do you have there? Show me iptables -v -L, not the nat.. Cheers, Henrik

Author:	piyush [ 12 Apr 2006 14:33 ]
Post subject:	Transperent proxy problem
hello, iptables -v -L Chain INPUT (policy ACCEPT 1387 packets, 122K bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- eth0 any anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:webcache 0 0 ACCEPT tcp -- eth0 any anywhere anywhere state RELATED,ESTABLISHED tcp spt:www Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1376 packets, 112K bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- any eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:www 0 0 ACCEPT tcp -- any eth0 anywhere anywhere state RELATED,ESTABLISHED tcp spt:www and iptables -t nat -nL is.. iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination --piyush--

Author:	hege [ 12 Apr 2006 14:42 ]
Post subject:
Ah I think I know why it didn't work.. You should do it something like this: iptables -t nat -A PREROUTING -i eth1 -s ! 10.10.136.253 -p tcp --dport 80 -j REDIRECT --to-port 8080 Because otherwise when HAVP/Squid wants to connect to port 80, it will loop again, creating infinite loop.. you have to exclude your own server. (You might have put \! instead of ! if shell complains) Cheers, Henrik

Author:	hege [ 12 Apr 2006 14:47 ]
Post subject:
And I assumed clients come from eth1 and server connects to internet from eth1.. Because usually internal network comes from say eth0, and internet traffic goes to eth1.. then there would be no problems like this. Cheers, Henrik

Author:	piyush [ 12 Apr 2006 16:19 ]
Post subject:	Transperent proxy problem
Hello That doesn't seem to work. Sorry Henry but i made some mistekes.. i have re arranged my network now as below, Test machine: ip 10.10.136.45/8 My machine(HAVP + iptables): eth0 :10.10.136.253/8 eth1 :10.10.136.199/8 Now Test machine connects to My machine on eth1 with default gateway as 10.10.136.199 via cross cable and eth0 connects to my LAN gateway hence internet. I browsw from test machine. Now Can u please tell me what should be my iptables configuration? and ya Thanks for ur continuous reply --piyush--

Page 1 of 2	All times are UTC + 2 hours [ DST ]
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/