VectorLinux

Please login or register.

Login with username, password and session length
Advanced search  

News:

Visit our home page for VL info. For support and documentation, visit the Vector Linux Knowledge Center or search the Knowledge Center and this Forum using the search box above.

Author Topic: Turn gateway into a transparent proxy  (Read 3602 times)

Ulysses_

  • Member
  • *
  • Posts: 5
Turn gateway into a transparent proxy
« on: May 23, 2011, 03:49:38 pm »

Hi.  Using VASM on vectorlinux LITE, a gateway has been set up so all pc's in a local network access the internet through this gateway.  Now there is a vpn proxy running in the gateway box at 127.0.0.1:9666 so any application running in the gateway can be manually set up to go through this proxy.

How can all access to the internet through the gateway be forced to go through this proxy?

Note: the vpn proxy requires X to run so it is not available when /etc/rc.d/rc.firewall is executed, if that makes any difference.
Logged

Ulysses_

  • Member
  • *
  • Posts: 5
Re: Turn gateway into a transparent proxy
« Reply #1 on: May 23, 2011, 03:50:33 pm »

Here's /etc/rc.d/rc.firewall in the attachment:
Logged

pierce.jason

  • Packager
  • Vectorite
  • ****
  • Posts: 250
Re: Turn gateway into a transparent proxy
« Reply #2 on: May 23, 2011, 05:07:15 pm »

On the gateway box, you'll need iptables rules to re-direct outbound nat'd traffic to your local proxy port. The following URLs have some examples of doing this.
http://www.ex-parrot.com/~pete/upside-down-ternet.html
http://www.debian-administration.org/articles/71
Logged
pierce.jason
Email: $(echo -e "moc\x2eliamg\x40nosaj.ecreip" | rev)

Ulysses_

  • Member
  • *
  • Posts: 5
Re: Turn gateway into a transparent proxy
« Reply #3 on: May 24, 2011, 04:51:45 am »

Must I delete any line in /etc/rc.d/rc.firewall ?
Logged

Ulysses_

  • Member
  • *
  • Posts: 5
Re: Turn gateway into a transparent proxy
« Reply #4 on: May 24, 2011, 02:38:22 pm »

Please help.  The command seems to be

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 9666

but where do I put it in the initialization script generated by VASM, attached above? Simply typing this in a command line does not work.
Logged

pierce.jason

  • Packager
  • Vectorite
  • ****
  • Posts: 250
Re: Turn gateway into a transparent proxy
« Reply #5 on: October 03, 2011, 08:31:23 pm »

For ports that you want to go through your proxy, remove them from line 67 (PORT_FORWARD=) of your rc.firewall. For example you would likely want to remove http, https, 8080, and possibly ftp/ftp-data. Anything set in this variable will be forwarded over nat without touching your proxy rule.

Now go down into the firewall_forward() function which begins at line 159. Lines 186-194 encompass the control structures that setup forwarding for each of the ports in PORT_FORWARD variable, so right below here would be a good place to add your iptables rule for redirecting to the proxy. Going by the examples nearby there, I think we should modify your iptables redirection rule, for consistency with other rules in rc.forward, to something similar to this:
Code: [Select]
$IPT -t nat -A PREROUTING -s $GREEN_NET -d ! $GREEN_NET -p tcp --dports http,https,8080 -j REDIRECT --to-port 9666

I have substituted "-s $GREEN_NET -d ! $GREEN_NET" where you had an interface, and changed the destination ports to include more than just plain 80.

Logged
pierce.jason
Email: $(echo -e "moc\x2eliamg\x40nosaj.ecreip" | rev)

Ulysses_

  • Member
  • *
  • Posts: 5
Re: Turn gateway into a transparent proxy
« Reply #6 on: October 04, 2011, 11:23:20 am »

Thanks.
Logged