VectorLinux
October 22, 2014, 06:55:02 pm *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Visit our home page for VL info. To search the old message board go to http://vectorlinux.com/forum1. The first VL forum is temporarily offline until we can find a host for it. Thanks for your patience.
 
Now powered by KnowledgeDex.
   Home   Help Search Login Register  
Please support VectorLinux!
Pages: [1]
  Print  
Author Topic: Turn gateway into a transparent proxy  (Read 3214 times)
Ulysses_
Member
*
Posts: 5


« on: May 23, 2011, 02:49:38 pm »

Hi.  Using VASM on vectorlinux LITE, a gateway has been set up so all pc's in a local network access the internet through this gateway.  Now there is a vpn proxy running in the gateway box at 127.0.0.1:9666 so any application running in the gateway can be manually set up to go through this proxy.

How can all access to the internet through the gateway be forced to go through this proxy?

Note: the vpn proxy requires X to run so it is not available when /etc/rc.d/rc.firewall is executed, if that makes any difference.
Logged
Ulysses_
Member
*
Posts: 5


« Reply #1 on: May 23, 2011, 02:50:33 pm »

Here's /etc/rc.d/rc.firewall in the attachment:
Logged
pierce.jason
Packager
Vectorite
****
Posts: 250



« Reply #2 on: May 23, 2011, 04:07:15 pm »

On the gateway box, you'll need iptables rules to re-direct outbound nat'd traffic to your local proxy port. The following URLs have some examples of doing this.
http://www.ex-parrot.com/~pete/upside-down-ternet.html
http://www.debian-administration.org/articles/71
Logged

pierce.jason
Email: $(echo -e "moc\x2eliamg\x40nosaj.ecreip" | rev)
Ulysses_
Member
*
Posts: 5


« Reply #3 on: May 24, 2011, 03:51:45 am »

Must I delete any line in /etc/rc.d/rc.firewall ?
Logged
Ulysses_
Member
*
Posts: 5


« Reply #4 on: May 24, 2011, 01:38:22 pm »

Please help.  The command seems to be

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 9666

but where do I put it in the initialization script generated by VASM, attached above? Simply typing this in a command line does not work.
Logged
pierce.jason
Packager
Vectorite
****
Posts: 250



« Reply #5 on: October 03, 2011, 07:31:23 pm »

For ports that you want to go through your proxy, remove them from line 67 (PORT_FORWARD=) of your rc.firewall. For example you would likely want to remove http, https, 8080, and possibly ftp/ftp-data. Anything set in this variable will be forwarded over nat without touching your proxy rule.

Now go down into the firewall_forward() function which begins at line 159. Lines 186-194 encompass the control structures that setup forwarding for each of the ports in PORT_FORWARD variable, so right below here would be a good place to add your iptables rule for redirecting to the proxy. Going by the examples nearby there, I think we should modify your iptables redirection rule, for consistency with other rules in rc.forward, to something similar to this:
Code:
$IPT -t nat -A PREROUTING -s $GREEN_NET -d ! $GREEN_NET -p tcp --dports http,https,8080 -j REDIRECT --to-port 9666

I have substituted "-s $GREEN_NET -d ! $GREEN_NET" where you had an interface, and changed the destination ports to include more than just plain 80.

Logged

pierce.jason
Email: $(echo -e "moc\x2eliamg\x40nosaj.ecreip" | rev)
Ulysses_
Member
*
Posts: 5


« Reply #6 on: October 04, 2011, 10:23:20 am »

Thanks.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!