Date: Fri, 27 Jul 2007 09:16:26 -0500 From: Jeff Hedley <jeffh@tcnetworksinc.com> To: freebsd-questions@freebsd.org Subject: Re: Redirect Incoming port 80 connections to port 8080. Message-ID: <46A9FE3A.6090406@tcnetworksinc.com> In-Reply-To: <46A91779.4050509@tcnetworksinc.com> References: <46A91779.4050509@tcnetworksinc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1265F099D0F9AB351DA8CC79 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 07/26/2007 04:51 PM, Jeff Hedley wrote: > I am having a problem getting a Dansguardian + Squid transparent > proxying system going for a client. The following is what i want to do= , > but cannot figure out how to get it working using ipfw + natd: >=20 >=20 > [Host] - 10.0.0.150/24 - sends request to router google.com:80 > | > | > | > v > [Router] - 10.0.0.1/24 - receives request for google.com:80 but sets > | proxy server as next hop for transparent proxy purposes. > | - Not transparently proxyed yet. > | > v > [FreeBSD Proxy] - 10.0.0.2/24 - receives request for google.com:80 > | - request gets transparently proxied to 10.0.0.2:8080 > | (this is the part I don't know how to do). > | - runs through Dans, then Squid. > | - Squid sends request out to router again. > | - Outing squid requests get NATed to 10.0.0.2 (also > | don't know how to do this). > | > v > [Router] - 10.0.0.1/24 - receives the request for google.com again, > | but request is allowed through since it's coming from > | 10.0.0.2. > | > v > (interweb) >=20 > Can you tell me how I would setup the FreeBSD box to do what i want > using ipfw and natd? >=20 Here's some more infos: By doing a tcpdump i could see that the packets come into the FreeBSD box like this: > 11:54:57.763623 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 <mss 1460,nop,nop,sackOK> > 11:54:57.763662 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 <mss 1460,nop,nop,sackOK> > 11:54:57.763677 IP 10.0.0.2 > 10.0.0.150: icmp 36: redirect 64.233.167.= 147 to host 10.0.0.1 > 11:54:57.763757 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 <mss 1460,nop,nop,sackOK> > 11:54:57.763768 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 <mss 1460,nop,nop,sackOK> > 11:54:57.763773 IP 10.0.0.2 > 10.0.0.150: icmp 36: redirect 64.233.167.= 147 to host 10.0.0.1 > 11:54:57.763861 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 <mss 1460,nop,nop,sackOK> > 11:54:57.763870 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 <mss 1460,nop,nop,sackOK> > 11:54:57.763875 IP 10.0.0.2 > 10.0.0.150: icmp 36: redirect 64.233.167.= 147 to host 10.0.0.1 > 11:54:57.763964 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 <mss 1460,nop,nop,sackOK> > 11:54:57.763974 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:27= 18548697(0) win 16384 <mss 1460,nop,nop,sackOK> > <snip> I tried turning off the ICMP redirect packets by setting the following: > sysctl -w net.inet.icmp.drop_redirect=3D1 > sysctl -w net.inet.icmp.log_redirect=3D1 > sysctl -w net.inet.ip.redirect=3D0 But the packet dumps don't change much: The icmp 36 redirect lines simply aren't there anymore. This is the ipfw line i'm using: > /sbin/ipfw add divert natd tcp from not 10.0.0.2 to any dst-port 80 via= en0 and it seems no matter what natd command i use, nothing gets diverted to natd: I run natd in verbose mode and nothing ever appears on stdout except for the following line: > natd[2570]: Aliasing to 10.0.0.2, mtu 1500 bytes I can forward all the natd configurations I've tried as well if anyone's interested. Any help you all could offer would be greatly appreciated. --=20 Jeff Hedley TC Networks, Inc. --------------enig1265F099D0F9AB351DA8CC79 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFGqf4+N7/CuNq7GE4RAsNAAJ0dZq4XSttYGM5ANsvV1ZVV4+ec0ACgw+Nz zAcC1rpBGC/uJDLRMjd4Hcc= =984r -----END PGP SIGNATURE----- --------------enig1265F099D0F9AB351DA8CC79--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46A9FE3A.6090406>