transparent proxies / iptables: Mini How To by Daniel Kiracofe
This is a discussion on transparent proxies / iptables: Mini How To by Daniel Kiracofe within the Linux Networking forums, part of the Linux Forums category; Hello! I have difficulties to understand the iptables statements in chapter 6 "Transparent Proxy to a Remote Box" ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-15-2004
|
|||
|
|||
transparent proxies / iptables: Mini How To by Daniel Kiracofe
Hello!
I have difficulties to understand the iptables statements in chapter 6 "Transparent Proxy to a Remote Box" of Daniel Kiracofe´s Mini-How-To "Transparent Proxy with Linux and Squid" (http://tldp.org/HOWTO/TransparentProxy-6.html) As I know when packets are forwarded they are processed in the following way (chains): PREROUTING --> FORWARD --> POSTROUTING (http://iptables-tutorial.frozentux.n...#TRAVERSINGOFT ABLES) Daniel uses the following 3 iptables statements and explains them with the following sentences: iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128 iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT "The first one sends the packets to squid-box from iptables-box. The second makes sure that the reply gets sent back through iptables-box, instead of directly to the client (this is very important!). The last one makes sure the iptables-box will forward the appropriate packets to squid-box. It may not be needed. YMMV." Lets assume the following: local-network: 192.168.1.0/24 Client-PC: 192.168.1.1/24 iptables-box (default-gateway): 192.168.1.100/24 squid-box: 192.168.1.2/24 I now want to explain how I understand it: a) The first statement: If the Client (192.168.1.1) wants to visit (e.g.) www.kernel.org it sends its packet to its default-gateway (192.168.1.100). The default-gateway changes the destination ip address to 192.168.1.2 and destination port to 3128 so that the packet gets forwarded to the proxy. b) The third statements: The packet has the destination ip address of the proxy and gets therefore into the FORWARD chain where it has to be accepted. c) I don´t understand the second statement: When the packet leaves the FORWARD chain and enters the POSTROUTING chain it gets the source ip address of the default- gateway (192.168.1.100). Why? When leaving the POSTROUTING chain the packet gets forwarded to the proxy. The proxy opens the connection to www.kernel.org and sends the HTTP request. The HTTP reply gets send back to the proxy. And now the question: How can the proxy know that it has to send the reply to the Client (192.168.1.1) and not to the default-gateway (192.168.1.100). The second statement changes the source ip address so that it looks like the packet comes from the default-gateway. I hope someone of you can tell me how it works. Thanks! Wolfi 
|
|
01-15-2004
|
|||
|
|||
|
Re: transparent proxies / iptables: Mini How To by Daniel Kiracofe
Wolfgang Wyremba <wolfgang.wyremba@fh-joanneum.at> wrote:
> (http://tldp.org/HOWTO/TransparentProxy-6.html) [...] > Daniel uses the following 3 iptables statements and explains them with > the following sentences: > > iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j > DNAT --to squid-box:3128 > iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j > SNAT --to iptables-box > iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p > tcp --dport 3128 -j ACCEPT > > "The first one sends the packets to squid-box from iptables-box. > The second makes sure that the reply gets sent back through iptables-box, > instead of directly to the client (this is very important!). > The last one makes sure the iptables-box will forward the appropriate > packets to squid-box. > It may not be needed. YMMV." > > Lets assume the following: > local-network: 192.168.1.0/24 > Client-PC: 192.168.1.1/24 > iptables-box (default-gateway): 192.168.1.100/24 > squid-box: 192.168.1.2/24 > > I now want to explain how I understand it: > a) The first statement: > If the Client (192.168.1.1) wants to visit (e.g.) www.kernel.org it > sends its packet to its default-gateway (192.168.1.100). > The default-gateway changes the destination ip address to 192.168.1.2 > and destination port to 3128 so that the packet gets forwarded > to the proxy. > > b) The third statements: > The packet has the destination ip address of the proxy and gets > therefore into the FORWARD chain where it has to be accepted. > > c) I don´t understand the second statement: > When the packet leaves the FORWARD chain and enters the POSTROUTING > chain it gets the source ip address of the default-gateway > (192.168.1.100). > Why? Because the answer to the client must be sent back via the iptables box to the client and not directly to the client. The answer packet need to pass the iptables box so that DNAT can be "undone". Remember, the client wants to have the replies coming from the IP address of www.kernel.org and from port 80 and not from the squid address and port 3128. Ciao, Horst -- »When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn
|
Linear Mode
