From owner-freebsd-questions@FreeBSD.ORG Fri Jul 27 14:16:34 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2023316A418 for ; Fri, 27 Jul 2007 14:16:34 +0000 (UTC) (envelope-from jeffh@tcnetworksinc.com) Received: from stratos.monroe.k12.wi.us (mta.monroeschools.com [216.56.60.219]) by mx1.freebsd.org (Postfix) with ESMTP id D1BC013C478 for ; Fri, 27 Jul 2007 14:16:33 +0000 (UTC) (envelope-from jeffh@tcnetworksinc.com) Received: from [10.100.1.190] (tyson-wan-4.dsl.mhtc.net [216.180.213.190]) by stratos.monroe.k12.wi.us (Postfix) with ESMTP id A6ADFF3C091; Fri, 27 Jul 2007 09:16:31 -0500 (CDT) Message-ID: <46A9FE3A.6090406@tcnetworksinc.com> Date: Fri, 27 Jul 2007 09:16:26 -0500 From: Jeff Hedley Organization: TC Networks, Inc. User-Agent: Thunderbird 2.0.0.5 (X11/20070716) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <46A91779.4050509@tcnetworksinc.com> In-Reply-To: <46A91779.4050509@tcnetworksinc.com> X-Enigmail-Version: 0.95.2 OpenPGP: id=DABB184E; url=http://www.tcnetworksinc.com/gpgPubkeys/jeffh.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig1265F099D0F9AB351DA8CC79" Subject: Re: Redirect Incoming port 80 connections to port 8080. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jul 2007 14:16:34 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1265F099D0F9AB351DA8CC79 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 07/26/2007 04:51 PM, Jeff Hedley wrote: > I am having a problem getting a Dansguardian + Squid transparent > proxying system going for a client. The following is what i want to do= , > but cannot figure out how to get it working using ipfw + natd: >=20 >=20 > [Host] - 10.0.0.150/24 - sends request to router google.com:80 > | > | > | > v > [Router] - 10.0.0.1/24 - receives request for google.com:80 but sets > | proxy server as next hop for transparent proxy purposes. > | - Not transparently proxyed yet. > | > v > [FreeBSD Proxy] - 10.0.0.2/24 - receives request for google.com:80 > | - request gets transparently proxied to 10.0.0.2:8080 > | (this is the part I don't know how to do). > | - runs through Dans, then Squid. > | - Squid sends request out to router again. > | - Outing squid requests get NATed to 10.0.0.2 (also > | don't know how to do this). > | > v > [Router] - 10.0.0.1/24 - receives the request for google.com again, > | but request is allowed through since it's coming from > | 10.0.0.2. > | > v > (interweb) >=20 > Can you tell me how I would setup the FreeBSD box to do what i want > using ipfw and natd? >=20 Here's some more infos: By doing a tcpdump i could see that the packets come into the FreeBSD box like this: > 11:54:57.763623 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 > 11:54:57.763662 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 > 11:54:57.763677 IP 10.0.0.2 > 10.0.0.150: icmp 36: redirect 64.233.167.= 147 to host 10.0.0.1 > 11:54:57.763757 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 > 11:54:57.763768 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 > 11:54:57.763773 IP 10.0.0.2 > 10.0.0.150: icmp 36: redirect 64.233.167.= 147 to host 10.0.0.1 > 11:54:57.763861 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 > 11:54:57.763870 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 > 11:54:57.763875 IP 10.0.0.2 > 10.0.0.150: icmp 36: redirect 64.233.167.= 147 to host 10.0.0.1 > 11:54:57.763964 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 > 11:54:57.763974 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 > I tried turning off the ICMP redirect packets by setting the following: > sysctl -w net.inet.icmp.drop_redirect=3D1 > sysctl -w net.inet.icmp.log_redirect=3D1 > sysctl -w net.inet.ip.redirect=3D0 But the packet dumps don't change much: The icmp 36 redirect lines simply aren't there anymore. This is the ipfw line i'm using: > /sbin/ipfw add divert natd tcp from not 10.0.0.2 to any dst-port 80 via= en0 and it seems no matter what natd command i use, nothing gets diverted to natd: I run natd in verbose mode and nothing ever appears on stdout except for the following line: > natd[2570]: Aliasing to 10.0.0.2, mtu 1500 bytes I can forward all the natd configurations I've tried as well if anyone's interested. Any help you all could offer would be greatly appreciated. --=20 Jeff Hedley TC Networks, Inc. --------------enig1265F099D0F9AB351DA8CC79 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFGqf4+N7/CuNq7GE4RAsNAAJ0dZq4XSttYGM5ANsvV1ZVV4+ec0ACgw+Nz zAcC1rpBGC/uJDLRMjd4Hcc= =984r -----END PGP SIGNATURE----- --------------enig1265F099D0F9AB351DA8CC79--