[Firehol-support] transparent_proxy confusion
Costa Tsaousis
costa at tsaousis.gr
Mon Nov 19 11:29:20 GMT 2007
Sven wrote:
> Now, when i setup my firehol config like attached. The transparent proxy
> works well on eth1.
> But, when i include the transparent_proxy command it breaks my direct
> internet connection on the other interfaces including localhost.
>
> Wget for example is not possible from the machine itself when
> transparent proxy with inface eth1 is up. I get "Connection refused"
> errors then.
>
> I thought the command:
> transparent_proxy 80 10080 tproxy inface eth1 src 192.168.1.0/24
> would not affect other devices than eth1, but as said it breaks direct
> connections on port 80.
>
> Any idea how to add direct connection functionality on other devices
> than eth1?
>
From the manual:
---
*transparent_proxy* <service> <port> <user> [optional rule parameters]
The *transparent_proxy* helper sets up trasparent proxy server for TCP
traffic. The proxy is assumed to be running on the firewall host at port
*port*, with the credentials of the local user *user* serving TCP port's
*service* requests.
The *transparent_proxy* helper can be used for two kinds of traffic:
* Incomming TCP traffic, either targeted to the firewall host or
passing through the firewall host.
The optional rule parameters can be used to specify which kind of
*incomming* traffic to be catched (by using inface <#inface>, src
<#src>, dst <#dst>, etc -- outface <#outface> should not be used
here, because the rules generated are placed before the routing
decision and therefore the outgoing interface is not yet known).
If no optional rule parameters are given, then the transparent
proxy will be setup on *all network interfaces for all TCP
traffic* (use this with care since you are risking to serve
requests from the internet using your proxy).
* Locally generated outgoing TCP traffic, except TCP traffic
generated by processes running as the *user* argument. The
optional rule parameters inface <#inface>, outface <#outface> and
src <#src> are ignored for this type of traffic.
This kind of matching makes it possible to support transparent
proxying for clients running on the firewall host, as far as they
do not run as the user excluded. More than one users can be
specified by space-separating and enclosing them in double quotes.
This rule can be disabled by specifing as user the empty string: *""*
Of course, make sure that your firewall allows requests to reach your
proxy server.
In kernel versions prior to 2.6 you need to enable
CONFIG_IP_NF_NAT_LOCAL for locally generated outgoing traffic to be
redirected correctly.
---
This means that you need to write it like this:
transparent_proxy 80 10080 "" inface eth1 src 192.168.1.0/24
This will leave the local users (on the same machine) with a direct
connection.
Costa
More information about the Firehol-support
mailing list