[Firehol-support] Transparent Proxy to Remote Server
Daniel L. Miller
dmiller at amfes.com
Fri Jun 1 23:26:04 BST 2007
Costa Tsaousis wrote:
> Carlos Rodrigues wrote:
>> On 5/31/07, Daniel L. Miller <dmiller at amfes.com> wrote:
>>> Is rinetd required? Can I not use NAT for this?
>> You can use NAT, yes.
> I think it is a bit more complicated than that.
> Normally a client A goes to a random web server B.
> If you dnat the request to a proxy, then the information about B is lost
> (the hostname part of the URL is expected to be in the http request too,
> but this is not always the case, especially if you use some old
> clients), and therefore the proxy will not have any idea regarding the
> original destination of the request.
> Also, if you just dnat the request, then the client A will talk to host
> B through your router, but since the clients and router and proxy are on
> the same LAN, the replies will go back to the client from the proxy
> directly without passing through the router. This may confuse a few
> clients. Of course you can snat also the requests on the router so that
> the replies will go back the right way, but then your proxy will see all
> requests coming from the router without any real client information and
> therefore your proxy logs will not have any client information at all.
> I believe you can do it reliably with one of the following methods:
> 1. Set up a proxy on the router/firewall. This proxy will just be a
> slave proxy to your master proxy (without caching pages). This is the
> easiest way, can be very reliable, and will not add any significant load
> on your router/firewall (squid is very lightweight when it is just a
> dummy slave).
> 2. Set up policy based routing, so that your router sends back ICMP
> redirects for all http requests to let the clients know that the correct
> router for this kind of traffic is the proxy. This way, the proxy needs
> to be a router and a transparent proxy. I guess iproute2 does this kind
> of policy based routing magic but I cannot help you further with that.
Maybe I'm going about this the wrong way - then again, it might be fun
to have it work just because.
I have a smaller machine acting as firewall/router using firehol. I
used to have Squid on this machine - I have since moved almost
everything to a newer internal server with large CPU, memory, and
storage capacities. Squid is working fine on this new machine now, and
clients are using it via local configuration or WPAD.
But I'd like to get a transparent IP proxy working for it as well. I
suppose another way I could do this is make the interior server the
default gateway for the workstations, do the transparent proxy there,
and configure the gateway for the interior server as the router. That's
probably a more maintainable option as well. Just not as much fun!
More information about the Firehol-support