[Firehol-support] transparent_proxy confusion

Costa Tsaousis costa at tsaousis.gr
Mon Nov 19 11:29:20 GMT 2007

Sven wrote:
> Now, when i setup my firehol config like attached. The transparent proxy
> works well on eth1.
> But, when i include the transparent_proxy command it breaks my direct
> internet connection on the other interfaces including localhost.
> Wget for example is not possible from the machine itself when
> transparent proxy with inface eth1 is up. I get "Connection refused"
> errors then.
> I thought the command:
> transparent_proxy 80 10080 tproxy inface eth1 src
> would not affect other devices than eth1, but as said it breaks direct
> connections on port 80.
> Any idea how to add direct connection functionality on other devices
> than eth1?
 From the manual:


      *transparent_proxy* <service> <port> <user> [optional rule parameters]

The *transparent_proxy* helper sets up trasparent proxy server for TCP 
traffic. The proxy is assumed to be running on the firewall host at port 
*port*, with the credentials of the local user *user* serving TCP port's 
*service* requests.

The *transparent_proxy* helper can be used for two kinds of traffic:

    * Incomming TCP traffic, either targeted to the firewall host or
      passing through the firewall host.
      The optional rule parameters can be used to specify which kind of
      *incomming* traffic to be catched (by using inface <#inface>, src
      <#src>, dst <#dst>, etc -- outface <#outface> should not be used
      here, because the rules generated are placed before the routing
      decision and therefore the outgoing interface is not yet known).

      If no optional rule parameters are given, then the transparent
      proxy will be setup on *all network interfaces for all TCP
      traffic* (use this with care since you are risking to serve
      requests from the internet using your proxy).

    * Locally generated outgoing TCP traffic, except TCP traffic
      generated by processes running as the *user* argument. The
      optional rule parameters inface <#inface>, outface <#outface> and
      src <#src> are ignored for this type of traffic.

      This kind of matching makes it possible to support transparent
      proxying for clients running on the firewall host, as far as they
      do not run as the user excluded. More than one users can be
      specified by space-separating and enclosing them in double quotes.

      This rule can be disabled by specifing as user the empty string: *""*

Of course, make sure that your firewall allows requests to reach your 
proxy server.

In kernel versions prior to 2.6 you need to enable 
CONFIG_IP_NF_NAT_LOCAL for locally generated outgoing traffic to be 
redirected correctly.


This means that you need to write it like this:

transparent_proxy 80 10080 "" inface eth1 src

This will leave the local users (on the same machine) with a direct 


More information about the Firehol-support mailing list