[Firehol-support] appropriate way to do transparent proxy to a node on the LAN

Phil Whineray phil at firehol.org
Sun Jul 23 08:31:09 BST 2017

On Sat, Jul 22, 2017 at 10:46:43PM +0000, Spike wrote:
> Phil,
> thank you for your message, very much appreciate the help. I had completely
> forgotten about the issue of client ip, I definitely need that to apply
> some rules based on the client so it seems I'll have to go the routing way,
> which I actually don't mind and in a sense prefer to NAT'ing. With that in
> mind tho, and this may be OT and more fo a networking question, how is the
> routing scenario solve the return path issue? once the filtering box
> receives the request, won't the source ip still be the one of the client?
> (which is the whole point). And that being the case, won't the filter then
> try to route it back to the client which is one the same LAN? it seems for
> the above to work the content filter and the lan would have to be on their
> own network separate from the client.
> [...]

In the setup I created, squid was in a DMZ, so do not have any actual
experience of this exact problem.

I think you have two choices, probably:

1. Use policy based routing on the squid box too
2. Make the firewall rules for outgoing HTTP traffic (via squid) stateless

In the case of (1) you would need to look at `ip rule` on the squid box
to direct any traffic with a non-local IP back to the firewall. Then you
need to make sure the firewall allows for some external IPs incoming to
your internal interface.

For (2) you would just set up a stateless rule for port 80 packets
travelling to the squid IP. Explicitly adding a NOTRACK rule in
prerouting might be a good idea too, since as you've already observed,
the connections will never form properly from the firewall's view.

I think this should all work: squid with the local REDIRECT should
take care of packets coming back with the official external IP.
Everything else thinks it is just doing normal routing.

Or, isolate the traffic in some way: a VLAN would work if you have the
ability to set one up on whatever connects firewall to squid. In the
firewall and squid it is just an extra interface so would make the
config simpler overall, I imagine.

> On Sat, Jul 22, 2017 at 12:17 AM Phil Whineray <phil at firehol.org> wrote:
> [...]
> > To resole that you would use intercept with policy based routing but
> > that is considerably more effort to set up:
> >
> > * on firewall, mark the HTTP traffic in firehol
> > * on firewall, use `ip` to set up a routing table with squid proxy as
> > gateway
> > * on firewall, use `ip` to set rule sending marked traffic to that table
> > * on squid proxy, create a REDIRECT rule similar to your existing one
> >
> > This stackexchange post [2] looks about right, albeit with plain
> > iptables commands.
> >
> > Hope that helps
> > Phil
> >
> > [1]: https://squidproxy.wordpress.com/category/interception/
> > [2]: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
> > [3]:
> > https://unix.stackexchange.com/questions/138013/routing-internet-on-nat-server-thru-squid-proxy
> >

More information about the Firehol-support mailing list