[Firehol-support] appropriate way to do transparent proxy to a node on the LAN
phil at firehol.org
Sat Jul 22 08:17:23 BST 2017
On Sat, Jul 22, 2017 at 12:24:14AM +0000, Spike wrote:
> I current have transparent proxy set up on the gateway on which firehol is
> also running and a simple "transparent_proxy4..." nicely did the job.
> However I now need to move the proxy functionalities to another box and it
> seems the only way out is to NAT since REDIRECT is to localhost (I guess
> under the hood that's also NAT).
It was a while since I had to set this sort of thing up. Hopefully I
won't present too much misinformation below.
> Should this do it?
> nat4 to-destination $content_filter_lan:8080 proto tcp dport 80
I think you might run into this  problem with up to date versions
The squid wiki still has this though  which is is the same ballpark
It mentions a vulnerability in vague terms...
> any gotchas I should be aware of? will this also alter the source ip?
> otherwise requests will be sent back to the original box and fail afaik.
DNAT (to-destination in firehol) does not alter the source address,
you need to do so explicilty with an snat rule (preferred if you have
a static ip) or masquerade. The MASQUERADE rule in the wiki example is
to take care of this.
Note that this means your squid sees only traffic from the firewall,
so if you wanted to examine the logs or have rules per-client, you
are out of luck.
To resole that you would use intercept with policy based routing but
that is considerably more effort to set up:
* on firewall, mark the HTTP traffic in firehol
* on firewall, use `ip` to set up a routing table with squid proxy as gateway
* on firewall, use `ip` to set rule sending marked traffic to that table
* on squid proxy, create a REDIRECT rule similar to your existing one
This stackexchange post  looks about right, albeit with plain
Hope that helps
More information about the Firehol-support