Thread: transparent proxies / iptables: Mini How To by Daniel Kiracofe
View Single Post

  #2 (permalink)  
Old 01-15-2004
Horst Knobloch
 
Posts: n/a
Default Re: transparent proxies / iptables: Mini How To by Daniel Kiracofe
Wolfgang Wyremba <wolfgang.wyremba@fh-joanneum.at> wrote:


> (http://tldp.org/HOWTO/TransparentProxy-6.html)
[...]
> Daniel uses the following 3 iptables statements and explains them with
> the following sentences:
>
> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j
> DNAT --to squid-box:3128
> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j
> SNAT --to iptables-box
> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p
> tcp --dport 3128 -j ACCEPT
>
> "The first one sends the packets to squid-box from iptables-box.
> The second makes sure that the reply gets sent back through iptables-box,
> instead of directly to the client (this is very important!).
> The last one makes sure the iptables-box will forward the appropriate
> packets to squid-box.
> It may not be needed. YMMV."
>
> Lets assume the following:
> local-network: 192.168.1.0/24
> Client-PC: 192.168.1.1/24
> iptables-box (default-gateway): 192.168.1.100/24
> squid-box: 192.168.1.2/24
>
> I now want to explain how I understand it:
> a) The first statement:
> If the Client (192.168.1.1) wants to visit (e.g.) www.kernel.org it
> sends its packet to its default-gateway (192.168.1.100).
> The default-gateway changes the destination ip address to 192.168.1.2
> and destination port to 3128 so that the packet gets forwarded
> to the proxy.
>
> b) The third statements:
> The packet has the destination ip address of the proxy and gets
> therefore into the FORWARD chain where it has to be accepted.
>
> c) I don´t understand the second statement:
> When the packet leaves the FORWARD chain and enters the POSTROUTING
> chain it gets the source ip address of the default-gateway
> (192.168.1.100).
> Why?

Because the answer to the client must be sent back via the
iptables box to the client and not directly to the client.
The answer packet need to pass the iptables box so that DNAT
can be "undone". Remember, the client wants to have the replies
coming from the IP address of www.kernel.org and from port 80
and not from the squid address and port 3128.

Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn
Reply With Quote