[Firehol-support] Any way to bypass a local transparent proxy from localhost?

Dean Baender dcb at baender.com
Fri Feb 10 03:59:15 CET 2006 

Hello all,

I'm running into the same problem Max Kutny had a month or so ago
( http://sourceforge.net/mailarchive/message.php?msg_id=14478389 )
where web traffic originating from localhost and going through 
transparent_squid is blocked and logged like this:

Feb  9 12:37:08 officegw OUT-unknown:IN= OUT=eth1 SRC=192.168.254.1 
DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61117 DF PROTO=TCP SPT=2693 
DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 

Where eth1 is the external interface and SRC is the external IP.

Costa's suggestion was to "define an interface that matches the traffic," so I 
tried:

public_if="eth1"
public_ip="192.168.254.1"
interface "${public_if}"  loopback src "${public_ip}"
        policy accept
        server all accept
        client all accept
and
interface "lo"  loopback src "${public_ip}"
        policy accept
        server all accept
        client all accept
and
interface "lo"  loopback
        policy accept
        server all accept
        client all accept
all to no effect.

I may be aggravating the situation by using dansguardian+oops proxy.  So my 
setup (which works great from the LAN) is:
Anything coming to 192.168.10.1:80 is forwarded using transparent_squid to 
dansguardian running on port 8080.
Dansguardian then sends the request to oops running on 127.0.0.1:3128, and out 
the the internet from there.

Is there any way I can simply bypass the proxy for traffic that originates on 
the firewall?

I'll include my config, just in case it's helpful.  And, as I'm rather new to 
firehol, any comments on how to make it better are welcome.

-----
# firehol.conf
#
# a basic firehol configuration

# Our private LAN
office_ip="192.168.10.1"
office_if="eth0"
office_lan="192.168.10.0/24"
office_services="ssh ping dns dhcp ntp samba cups webcache"

# Our public LAN
public_ip="192.168.254.1"
public_if="eth1"
public_services="ssh ping tinc"

# Our inter-office VPN (tinc)
vpn0_ip="192.168.10.1"
vpn0_if="vpn"
vpn0_lan="192.168.0.0/16"
vpn0_services="ssh ping dns samba ldap cups"

# Transparent proxy
tp_services="80"
tp_port="8080"
tp_users="clamav squid"
tp_exlude=""

## -------------------------------------------------------
## Define new services
## -------------------------------------------------------
server_tinc_ports="tcp/655 udp/655"
client_tinc_ports="default 655"

## -------------------------------------------------------
## Network Address Translation
## -------------------------------------------------------
# Transparent proxy NAT
if [ ! -z "${tp_port}" ]
then
    transparent_squid "${tp_port}" "${tp_users}"        \
        inface "${office_if}" src "${office_lan}"       \
        `test ! -z "${tp_exclude}" && echo "dst not '${tp_exclude}'"`
fi

# General NAT rule - prefer SNAT, it's faster
if [ ! -z "${public_ip}" ]
then
    snat to "${public_ip}"      \
        outface "${public_if}"  \
        src "${office_lan}" dst not "${UNROUTABLE_IPS}"
else
    masquerade "${public_if}"
fi

## -------------------------------------------------------
## Network interfaces
## -------------------------------------------------------
interface "${office_if}" office src "${office_lan}"
        policy reject
        server "${office_services} ${vpn0_services}" accept
        client all accept

interface "${public_if}" public src not "${office_lan} ${UNROUTABLE_IPS}"
        protection strong
        server "${public_services}" accept
        server ident reject with tcp-reset
        client all accept

#interface "${public_if}"  loopback src "${public_ip}"
#        policy accept
#        server all accept
#        client all accept


interface "${vpn0_if}" vpn0 src "${vpn0_lan} ${office_lan}"
        policy reject
        server "${vpn0_services}" accept
        client all accept

## -------------------------------------------------------
## Internet routing
## -------------------------------------------------------
router office2public inface "${public_if}" outface "${office_if}"
        # no masq here - see NAT section above
        #masquerade reverse
        client all accept
        server ident reject with tcp-reset

#router webproxy inface lo outface "${public_if}"
#       server "webcache" accept
#       client "webcache" accept

## -------------------------------------------------------
## VPN routing
## -------------------------------------------------------
router vpn0out inface "${office_if}" outface "${vpn0_if}" \
        src "${office_lan}" dst "${vpn0_lan}"

        server "${vpn0_services}" accept
        client all accept

router vpn0in inface "${vpn0_if}" outface "${office_if}" \
        src "${vpn0_lan}" dst "${office_lan}"

        server "${vpn0_services}" accept
        client all accept

---------- end firehol.conf ----------

Thanks in advance,
-dean

More information about the Firehol-support mailing list