Thread: transparent proxies / iptables: Mini How To by Daniel Kiracofe
View Single Post

  #1 (permalink)  
Old 01-15-2004
Wolfgang Wyremba
 
Posts: n/a
Default transparent proxies / iptables: Mini How To by Daniel Kiracofe
Hello!

I have difficulties to understand the iptables statements in chapter 6
"Transparent Proxy to a Remote Box" of Daniel Kiracofeīs Mini-How-To
"Transparent Proxy with Linux and Squid"
(http://tldp.org/HOWTO/TransparentProxy-6.html)

As I know when packets are forwarded they are processed in the following way
(chains): PREROUTING --> FORWARD --> POSTROUTING
(http://iptables-tutorial.frozentux.n...#TRAVERSINGOFT
ABLES)

Daniel uses the following 3 iptables statements and explains them with the
following sentences:

iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j
DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j
SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p
tcp --dport 3128 -j ACCEPT

"The first one sends the packets to squid-box from iptables-box.
The second makes sure that the reply gets sent back through iptables-box,
instead of directly to the client (this is very important!).
The last one makes sure the iptables-box will forward the appropriate
packets to squid-box.
It may not be needed. YMMV."

Lets assume the following:
local-network: 192.168.1.0/24
Client-PC: 192.168.1.1/24
iptables-box (default-gateway): 192.168.1.100/24
squid-box: 192.168.1.2/24

I now want to explain how I understand it:
a) The first statement:
If the Client (192.168.1.1) wants to visit (e.g.) www.kernel.org it sends
its packet to its default-gateway (192.168.1.100).
The default-gateway changes the destination ip address to 192.168.1.2 and
destination port to 3128 so that the packet gets forwarded
to the proxy.

b) The third statements:
The packet has the destination ip address of the proxy and gets therefore
into the FORWARD chain where it has to be accepted.

c) I donīt understand the second statement:
When the packet leaves the FORWARD chain and enters the POSTROUTING chain
it gets the source ip address of the default-
gateway (192.168.1.100).
Why?

When leaving the POSTROUTING chain the packet gets forwarded to the
proxy.
The proxy opens the connection to www.kernel.org and sends the HTTP
request.
The HTTP reply gets send back to the proxy.

And now the question:
How can the proxy know that it has to send the reply to the Client
(192.168.1.1) and not to the
default-gateway (192.168.1.100). The second statement changes the source
ip address so that it looks like the packet
comes from the default-gateway.

I hope someone of you can tell me how it works.

Thanks!

Wolfi


Reply With Quote