tech-net: Re: Transparent Proxy

Subject: Re: Transparent Proxy
To: Zafer Aydogan <zafer@gmx.org>
From: Mike M. Volokhov <mishka@apk.od.ua>
List: tech-net
Date: 06/18/2004 11:21:26
On Thu, 17 Jun 2004 17:17:54 +0200 (MEST)
"Zafer Aydogan" <zafer@gmx.org> wrote:

> Hello Newsgroup,
> 
> i'm stuck with one Problem setting up my transparent Web-Proxy.
> Everything seems to be fine working.
> But, the Proxy and the Router are two different machines on the same
> Network. Though, the redirecting rule, loops back, if the Proxy is going to
> get the website from the internet.
> 
> How can I exlude the proxy from the Ruleset?
> 
> I'm using this on the Router:
> 
> rdr ex1 0.0.0.0/0 port 80 -> 192.168.0.12 port 8080
> 
> The Proxy (192.168.0.12) tries to get the Website on Port 80 and matches the
> ruleset and loops back.
> 
> I thought about this:
> rdr ex1 0.0.0.0/0 port 80 ! 192.168.0.12/32 port 80 -> 192.168.0.12 port
> 8080
> 
> but this doesn't work.
> I'm sure there is a Solution, but i dont get it.

[This is really not a NetBSD related problem, so I will redirect it to
ipfilter list too.]

I have the similar "problems". All traffic to port 80 are redirected to
proxy. But if I wish to left traffic to all local HTTP servers I must
specify this withing following way:

rdr rtk0 10.4.1.2 port 80 -> 10.4.1.2 port 80 tcp	# HTTP server 1
...
rdr rtk0 10.x.y.z port 80 -> 10.x.y.z port 80 tcp	# HTTP server X.Y.Z
rdr rtk0 0.0.0.0/0 port 80 -> 192.168.1.2 port 8080 tcp	# Proxy server

On ipnat.conf(5) we have:

redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options .
ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .

Thus, it seems not possible specify source address for redirect rules.
However, relating to your problem, if you connect proxy to any other
interface, the request from proxy will not longer match that redirect
rules.

I think it would be very covenient have something like the following:

redir ::= "rdr" ifname lhs dport "->" ip [ "," ip ] rdrport options .
lhs ::= ipmask | "from" ipmask "to" ipmask .
ipmask ::= ["!"] ip "/" bits | ["!"] ip "/" mask | ["!"] ip "netmask" mask | "any" .

Thus, my problem can be solved using the rules:

rdr rtk0 ! 10.0.0.0/8 port 80 -> 192.168.1.2 port 8080 tcp

and Zafer's one:

rdr ex1 from ! 192.168.0.12 to any port 80 -> 192.168.0.12 port 8080 tcp

--
TIA,
Mishka.