Re: enable rp_filter and transparent remote proxys.

To: Blair L Strang <bls@totalinfosecurity.com>, debian-firewall@lists.debian.org
Subject: Re: enable rp_filter and transparent remote proxys.
From: Mike Mestnik <cheako911@yahoo.com>
Date: Mon, 1 Nov 2004 14:54:26 -0800 (PST)
Message-id: <20041101225426.91427.qmail@web11908.mail.yahoo.com>
In-reply-to: <417C80C7.20007@totalinfosecurity.com>

--- Blair L Strang <bls@totalinfosecurity.com> wrote:

> Hi,
> 
> There's something odd happening with your emails somewhere along the
> line.  It looks pretty crazy and I can't work out what it is!  It's like
> some combinations of letters get replaced / doubled.
> 
> Mike Mestnik wrote:
> 
> >>It looks like you're routing back into your internal net, so I think
> >>you only need rprpilter turned off on the internal interface.  You'll
> >>be seeing replies coming in from a local source, which the kernel
> thinks
> >>are supposed to be coming from the 'net.
> >>
> > 
> > That's correct.  After setting it up, I'm still not seeing packets on
> my
> > proxy, but it still works.  I'I'lave to look closer at the logs of the
> > GWGW
> 
> Hmmm.  So nothing's getting to the proxy?   Well, the rp_filter stuff is
> only going to cause problems when traffic is coming /back/ from the
> transparent proxy.  So it's probably not why things weren't working.
> 
That's correct, the pks are getting marked(iptables -v -L) but the routing
(tcpdump and wget --proxy=no) is not being changed.  It's odd that every
thing is setup but connections still go thought the router just fine.

I'm not using "-m state" on the "-j MARK" rules.  This way data can/will
be sent directly from the proxy to the client.

> > Heh, mestiriously send_redirects was change 4 me.  Wouldne't surprise
> me
> > if it's forced off when you set rp_filter to off.
> 
> Weird!  The new-ish 2.4 kernel on my gateway doesn't do this :-/
> 
I'm 2.4.26 hmm.  I don't know how it got turned off.

> > I think in this case icicmpedirects are dedesierableththogutht will
> cause
> > extra traffic.  If the client accepts the reredirt should remove load
> off
> > the router, a big plpluss On the other hand if the client ignores the
> > reredirthtenhere will be many of these icicmpsike one every 30
> seconds),
> > this is hthtextra traffic I was talking about.
> 
> I think that redirects will do the wrong thing.  If there's a connection
> to port 80 on $HOST, the client accepts the redirect, and /then/ the
> client wants $HOST on port 143 (say), then the clients will still send
> to the transproxy and not the router, no?
> 
The proxy has...
up iptables -t nat -A PREROUTING -i eth0+ -p tcp --dst ! 10.0.0.110 \
        --dport 80 -j REDIRECT --to-port 3128 || true
up iptables -t nat -A PREROUTING -i eth0+ -p tcp --dst ! 10.0.0.110 \
        --dport 443 -j REDIRECT --to-port 3128 || true

It's IP is 10.0.0.110.

So if the client's route directly to the proxy every thing will be fine.

> > Any other thoughts?
> 
> About the non-showing up packets: You might want to double-check that
> CONFIG_IP_ROUTE_FWMARK is set for your kernel (i.e, use nfmark as part
> of the routing key).
> 
It is and I don't get any thing from stdout or stderr from the "ip"
calles.

> One thing which causes a lot of people problems is that netfilter uses
> hex for mark values, while iproute2 uses decimal.  But that's not what's
> going on here...
> 
Correct I specificaly used "11b" or 3 to avoid such confusion.

> Cheers,
> 
>      Blair.
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com

Reply to:

Prev by Date: Re: Port 111
Next by Date: Re: Port 111
Previous by thread: Re: Port 111
Next by thread: Fwd: Fw: Arborist budget cuts
Index(es):
- Date
- Thread