[Firehol-support] transparent proxy with UNROUTABLE_IPS

Costa Tsaousis costa at tsaousis.gr
Sat Jan 14 17:37:59 GMT 2006


Which kernel version are you using?
It seems there is an error on how your kernel interprets the traffic: 
DST= cannot go out via OUT=world.

Anyway, you can allow this to happen if you define an interface that 
matches this traffic.


Max Kutny wrote:

> Gents,
> one of interfaces of my computer looks into the outside world. I 
> protect it with
> 'src not "${UNROUTEABLE_IPS}"' clause.
> Transparent proxy configured with "transparent_squid 3128 proxy" helper.
> When I "telnet sf.net <http://sf.net> 80" from the firewall I've got 
> the following in firewall's syslog:
> Jan 14 12:15:42 blues kernel: 'OUT-unknown:'IN= OUT=world 
> SRC= <> DST= 
> <> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=17371 DF 
> PROTO=TCP SPT=52401 DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0
> Why does it happen?
> When locally generated packet originates to sf.net <http://sf.net> it 
> gets redirected by the following
> rule in NAT table (produced by transparent proxy helper):
> 0 0 REDIRECT tcp  --  any any anywhere anywhere redir ports 3128
> Redirection means that destination is simply changed to 
> <> so the
> packet gets the following attributes: OUT=world SRC='world address' 
> DST= <> .
> After NAT table processing packet is ruled to the OUTGOING chain.
> OUTGOING chain has a jump to user-defined chain for world interface.
> And world interface chain itself has "0 0 RETURN all -- any any 
> anywhere <>"
> rule (remember unroutable ips protection?).
> Thus, every packet outgoing to world interface with DST= 
> <> gets returned
> to the OUTPUT chain and gets dropped at the end of it.
> If I remove unrouteable ips protection everything gets processed fine.
> How could I use transparent proxy with unrouteable ips protection on?
> It would help if REDIRECT changed interface to 'lo' as well as DST 
> address.
> Unfortunately this is not the case here.
> -- Max

More information about the Firehol-support mailing list