[Firehol-support] transparent proxy with UNROUTABLE_IPS

Max Kutny mkutny at gmail.com
Sat Jan 14 11:08:10 GMT 2006


one of interfaces of my computer looks into the outside world. I protect it
'src not "${UNROUTEABLE_IPS}"' clause.

Transparent proxy configured with "transparent_squid 3128 proxy" helper.

When I "telnet sf.net 80" from the firewall I've got the following in
firewall's syslog:
Jan 14 12:15:42 blues kernel: 'OUT-unknown:'IN= OUT=world SRC= LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=17371 DF PROTO=TCP SPT=52401
DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0

Why does it happen?

When locally generated packet originates to sf.net it gets redirected by the
rule in NAT table (produced by transparent proxy helper):
0 0 REDIRECT tcp  --  any any anywhere anywhere redir ports 3128

Redirection means that destination is simply changed to so the
packet gets the following attributes: OUT=world SRC='world address' DST= .

After NAT table processing packet is ruled to the OUTGOING chain.

OUTGOING chain has a jump to user-defined chain for world interface.
And world interface chain itself has "0 0 RETURN all -- any any anywhere"
rule (remember unroutable ips protection?).

Thus, every packet outgoing to world interface with DST= gets
to the OUTPUT chain and gets dropped at the end of it.

If I remove unrouteable ips protection everything gets processed fine.

How could I use transparent proxy with unrouteable ips protection on?

It would help if REDIRECT changed interface to 'lo' as well as DST address.
Unfortunately this is not the case here.

-- Max
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20060114/03d08e1b/attachment-0002.html>

More information about the Firehol-support mailing list