[Firehol-support] Transparent Proxy to Remote Server

Costa Tsaousis costa at tsaousis.gr
Fri Jun 1 23:10:56 BST 2007

Carlos Rodrigues wrote:
> On 5/31/07, Daniel L. Miller <dmiller at amfes.com> wrote:
>> Is rinetd required?  Can I not use NAT for this?
> You can use NAT, yes.
I think it is a bit more complicated than that.
Normally a client A goes to a random web server B.

If you dnat the request to a proxy, then the information about B is lost
(the hostname part of the URL is expected to be in the http request too,
but this is not always the case, especially if you use some old
clients), and therefore the proxy will not have any idea regarding the
original destination of the request.

Also, if you just dnat the request, then the client A will talk to host
B through your router, but since the clients and router and proxy are on
the same LAN, the replies will go back to the client from the proxy
directly without passing through the router. This may confuse a few
clients. Of course you can snat also the requests on the router so that
the replies will go back the right way, but then your proxy will see all
requests coming from the router without any real client information and
therefore your proxy logs will not have any client information at all.

I believe you can do it reliably with one of the following methods:

1. Set up a proxy on the router/firewall. This proxy will just be a
slave proxy to your master proxy (without caching pages). This is the
easiest way, can be very reliable, and will not add any significant load
on your router/firewall (squid is very lightweight when it is just a
dummy slave).

2. Set up policy based routing, so that your router sends back ICMP
redirects for all http requests to let the clients know that the correct
router for this kind of traffic is the proxy. This way, the proxy needs
to be a router and a transparent proxy. I guess iproute2 does this kind
of policy based routing magic but I cannot help you further with that.


More information about the Firehol-support mailing list