[Firehol-support] transparent_proxy confusion

Sven sven.lug-dorsten at gmx.de
Mon Nov 19 07:18:07 GMT 2007


Hello!

I am trying to set up a transparent proxy, which works now, but breaks
other things. Now iam totally confused andsubscribed to this mailinglist
in hope someone can see the mistake.

My setup:
The box we are talking about is a behind a nat router, some ports are
forwarded to this box. E.g. ssh and openvpn. The device to the nat
router is eth0.

The box runs the tor proxy software with privoxy in combination.
Therefore clients can use server:8118 as their proxy.

My idea was to run a open wlan access point on a additional eth1
interface. That interface should use transparent proxy to connect port
80 requests to the privoxy proxy.

Because privoxy does not support handling transparent proxy requests, i
am running the transproxy software doing the converter job. I decided to
run transproxy binded to 192.168.1.1 (eth1).

Now, when i setup my firehol config like attached. The transparent proxy
works well on eth1.
But, when i include the transparent_proxy command it breaks my direct
internet connection on the other interfaces including localhost.

Wget for example is not possible from the machine itself when
transparent proxy with inface eth1 is up. I get "Connection refused"
errors then.

I thought the command:
transparent_proxy 80 10080 tproxy inface eth1 src 192.168.1.0/24
would not affect other devices than eth1, but as said it breaks direct
connections on port 80.

Any idea how to add direct connection functionality on other devices
than eth1?

regards, Sven

-------------- next part --------------
#
# $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
#
# This configuration file will allow all requests originating from the
# local machine to be send through all network interfaces.
#
# No requests are allowed to come from the network. The host will be
# completely stealthed! It will not respond to anything, and it will
# not be pingable, although it will be able to originate anything
# (even pings to other hosts).
#

version 5

# ----------------------------------------------------------------------
# Definiere Services auf eth0
# ----------------------------------------------------------------------

internet_services="icmp ssh2 tor openvpn cvspserver ident"
dialinet_services="icmp ftp imaps squid vnc4 vnc4low gkrellmd torproxy smtp"
localnet_services="icmp ftp imaps squid vnc4 vnc4low gkrellmd torproxy smtp samba http cvspserver"

# ----------------------------------------------------------------------
# Definiere eigene Services
# ----------------------------------------------------------------------

server_openvpn_ports="tcp/1194"
client_openvpn_ports="default"

server_vnc4low_ports="tcp/5904"
client_vnc4low_ports="default"

server_vnc4_ports="tcp/6004"
client_vnc4_ports="default"

server_ssh2_ports="tcp/8022"
client_ssh2_ports="default"

server_torproxy_ports="tcp/8118"
client_torproxy_ports="default"

server_tor_ports="tcp/9001"
client_tor_ports="default"

server_gkrellmd_ports="tcp/19150"
client_gkrellmd_ports="default"

server_tp_ports="tcp/10080"
client_tp_ports="default"

# ----------------------------------------------------------------------
# Transparenter proxy
# Port 80 requests -> (eth1) 192.168.1.1 -> redirect firewall ->
# transproxy bind on 192.168.1.1:10080 -> privoxy -> tor -> world
# ----------------------------------------------------------------------

transparent_proxy 80 10080 tproxy inface eth1 src 192.168.1.0/24

interface eth0 lan
	protection strong
	policy reject
        server dhcp drop

	server "${internet_services}" accept
	server "${dialinet_services}" accept src 10.0.0.0/24
	server "${localnet_services}" accept src 192.168.123.0/24
	client all accept

interface eth1 lan2
        policy reject
## Services for transparent tor proxy on eth1: dns
	server dns accept
	server tp accept
	server http accept

        server icmp accept src 192.168.1.0/24
        server openvpn accept src 192.168.1.0/24
        server ssh2 accept src 192.168.1.0/24
        server dhcp accept src 192.168.1.0/24
	client all accept src 192.168.1.0/24



More information about the Firehol-support mailing list