OpenWrt Forum Archive

Post #1

doobster

3 Jun 2009, 06:02

After having spent a few hours I cannot get transparent proxy to work. I believe the problem is that the proxy server is not even receiving the packets from the router. I looked at all the traffic on port 3128 on the proxy server and nothing was coming in from the router at all. I have also made the configuration changes to squid to make it transparent.

My assumption is that after performing the iptables changes, my browser on my workstation (192.168.1.222) should just end up going through the proxy server, but instead I timeout waiting for data to come back. Here's my setup:

INTERNAL_NETWORK=192.168.1.0/24
LAN=br-lan
LANIP=192.168.1.1
SQUIDIP=192.168.1.50
SQUIDPORT=3128

iptables -t nat -A PREROUTING -i $LAN -s ! $SQUIDIP -p tcp --dport 80 -j DNAT --to $SQUIDIP:$SQUIDPORT
iptables -t nat -A POSTROUTING -o $LAN -s $INTERNAL_NETWORK -d $SQUIDIP -j SNAT --to $LANIP
iptables -A FORWARD -s $INTERNAL_NETWORK -d $SQUIDIP -i $LAN -o $LAN -p tcp --dport $SQUIDPORT -j ACCEPT

And here's some more possible relevant information.

/etc/config/network:
Loading defaults
Loading synflood protection
Adding custom chains
Loading zones
Loading rules
Loading forwarding
Loading redirects
Loading includes
catroot@OpenWrt:/etc# cat config/network

config 'switch' 'eth0'
option 'vlan0' '1 2 3 4 5*'
option 'vlan1' '0 5'

config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'

config 'interface' 'lan'
option 'type' 'bridge'
option 'ifname' 'eth0.0'
option 'proto' 'static'
option 'ipaddr' '192.168.1.1'
option 'netmask' '255.255.255.0'
option 'macaddr' ''
option 'ip6addr' ''
option 'gateway' ''
option 'ip6gw' ''
option 'dns' ''

config 'interface' 'wan'
option 'ifname' 'eth0.1'
option 'proto' 'static'
option 'macaddr' ''
option 'ipaddr' '173.9.xxx.xxx'
option 'ip6addr' ''
option 'netmask' '255.255.255.248'
option 'gateway' '173.9.xxx.xxx'
option 'ip6gw' ''
option 'dns' '68.87.72.130 68.87.77.130'

/etc/config/firewall:
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'

config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'

config 'zone'
option 'name' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'

config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'
option 'mtu_fix' '1'

config 'redirect' 'vnc'
option 'src' 'wan'
option 'proto' 'tcp'
option 'src_ip' ''
option 'src_dport' '5900'
option 'dest_ip' '192.168.1.50'
option 'dest_port' '5900'

Output of Route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
173.9.xxx.xxx * 255.255.255.248 U 0 0 0 eth0.1
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
default 173-9-xxx-xxx-I 0.0.0.0 UG 0 0 0 eth0.1

And I'm running Kamikaze 8.9.

Note: Sorry for posting this twice, but I also posted this question as a reply to a 5 year old thread last month and got no reply, so figured I'd start a new thread. I tried reading the forum rules to make sure this wasn't bad etiquette, but that gave me a 404.

Thanks,
Ross.

Post #2

scerpio

3 Jun 2009, 17:31

Try this:

iptables -t nat -A PREROUTING -i <internal interface> -p tcp --dport 80 -j REDIRECT --to-port 3180

Post #3

Yanira

3 Jun 2009, 17:52

I'd use tinyproxy if it's enough. There is even a LuCI application for it.

(Last edited by Yanira on 3 Jun 2009, 17:53)

Post #4

doobster

4 Jun 2009, 08:07

Scerpio,
I don't think that'll work. That assumes that the Proxy server is running on the same box, which is not. I have a somewhat beefy box that's my media/proxy/dnscaching/smb/radius server which I was hoping to use.

Thanks,
Ross.

Post #5

dninja

23 Oct 2009, 17:04

Did you ever get this working? I'm trying to do something similar but not having any luck. The bridge is in place but I can't get the traffic off it onto either a local or remote proxy

Post #6

kupesoft

24 Oct 2009, 06:19

I smell trouble. This works for me...

In /etc/firewall.transproxy,

#!/bin/sh

LANIF=br-lan #LAN interface

ROUTER=192.168.1.1 #Router's IP

INTERCEPT_PORT=80 #What port you want to intercept

TO=192.168.1.2 #Target's IP, ie the system running the transparent proxy -- it doesn't even need to be in the local network!
# TO Could be the same as ROUTER, but then you're better off using a -j REDIRECT --to-port xxxx style rule.

TO_PORT=8888 #Target port

echo "Loading intercept rules for port $INTERCEPT_PORT to $TO:$TO_PORT"

# Coming from non-target lan address to port, rewrite destination to target
iptables -t nat -A prerouting_lan -s ! $TO -p tcp --dport $INTERCEPT_PORT -j DNAT --to $TO:$TO_PORT

# Going to the target from the lan, rewrite source as router
iptables -t nat -A postrouting_rule -o $LANIF -d $TO -p tcp --dport $TO_PORT -j SNAT --to $ROUTER

# Allow forwarding on lan to the target
iptables -A forwarding_lan -d $TO -p tcp --dport $TO_PORT -j ACCEPT

And then in /etc/config/firewall,

config include
    option path /etc/firewall.transproxy

I hope that helps. Try not to cause too much mischief.

Dave

Post #7

dninja

24 Oct 2009, 16:35

I'll give it a try later, out of interest, what device was that on? I'm on a Fon2 which seems to virtualise the two ethernet port from a single eth0 which is one one of the things I thought could be causing me a problem.

Post #8

kupesoft

24 Oct 2009, 18:07

dninja, for me it works on a WL-500gP (brcm) using trunk/2.6 and 8.09.x/2.4.

(Last edited by kupesoft on 24 Oct 2009, 18:07)

Post #9

dninja

25 Oct 2009, 20:13

So on my setup that comes down to being this:

iptables -t nat -A prerouting_lan -s ! 192.168.0.2 -p tcp --dport 80 -j DNAT --to 192.168.0.2:8888
iptables -t nat -A postrouting_rule -o br-lan -d 192.168.0.2 -p tcp --dport 8888 -j SNAT --to 192.168.0.254
iptables -A forwarding_lan -d 192.168.0.2 -p tcp --dport 8888 -j ACCEPT

which still doesn't work!

I'm now thinking about vlans and stuff like that maybe causing the problems as I can't see anything else. I'm setting up my bridge by hand with brctl so I end up with

# brctl show
bridge name     bridge id               STP enabled     interfaces
br-lan          8000.001884d0a060       no              eth0.0
                                                        eth0.1

I can't find a way to check what vlans are setup and running, searching for vlan and interface comes back with so many answers that it is useless.

Any ideas?

Post #10

morphix

25 Nov 2009, 23:45

I also tried the above and this does nothing, my traffic still does not even touch the squid proxy server

Post #11

dninja

26 Nov 2009, 06:41

So it isn't just me messing things up, thats good.

I still haven't managed to get this working so still looking for suggestions.

Post #12

kupesoft

27 Nov 2009, 02:58

Describe your network topology, post your firewall and network config files, and paste the output to network-related commands like iptables, brctl, ifconfig, etc and I'll take a look.

Post #13

morphix

27 Nov 2009, 05:13

/etc/config/network:

config 'switch' 'eth0'
option 'vlan0' '1 2 3 4 5*'
option 'vlan1' '0 5'
config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'
config 'interface' 'lan'
option 'type' 'bridge'
option 'ifname' 'eth0.0'
option 'proto' 'static'
option 'ipaddr' '192.168.2.254'
option 'netmask' '255.255.255.0'
config 'interface' 'wan'
option 'ifname' 'eth0.1'
option 'peerdns' '1'
option 'defaultroute' '1'
option 'proto' 'pppoe'
option 'keepalive' '5'
option 'username' 'USER'
option 'password' 'PASS'

brctl show:

bridge name bridge id STP enabled interfaces
br-lan 8000.001601adb4f0 no eth0.0
wl0

ifconfig:

br-lan Link encap:Ethernet HWaddr 00:16:01:AD:B4:F0
inet addr:192.168.2.254 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6690716 errors:0 dropped:0 overruns:0 frame:0
TX packets:7278352 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:398379345 (379.9 MiB) TX bytes:2006550971 (1.8 GiB)
eth0 Link encap:Ethernet HWaddr 00:16:01:AD:B4:F0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13976945 errors:0 dropped:48 overruns:0 frame:0
TX packets:13960724 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2671761832 (2.4 GiB) TX bytes:2661701759 (2.4 GiB)
Interrupt:4
eth0.0 Link encap:Ethernet HWaddr 00:16:01:AD:B4:F0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6690714 errors:0 dropped:0 overruns:0 frame:0
TX packets:7278352 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:425142085 (405.4 MiB) TX bytes:2035664379 (1.8 GiB)
eth0.1 Link encap:Ethernet HWaddr 00:16:01:AD:B4:F0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7281847 errors:0 dropped:0 overruns:0 frame:0
TX packets:6678314 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1990948703 (1.8 GiB) TX bytes:566042266 (539.8 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:205 errors:0 dropped:0 overruns:0 frame:0
TX packets:205 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:17956 (17.5 KiB) TX bytes:17956 (17.5 KiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:xx.xx.x.xx P-t-P:xxx.xxx.x.xx Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:5779 errors:0 dropped:0 overruns:0 frame:0
TX packets:5057 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:1850652 (1.7 MiB) TX bytes:1026410 (1002.3 KiB)
wl0 Link encap:Ethernet HWaddr 00:16:01:AD:B4:F1
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:43019
TX packets:0 errors:72 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:2 Base address:0x5000

iptables -L :

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
input_rule all -- anywhere anywhere
input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:22 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:22 state NEW limit: avg 3/min burst 5
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
forward all -- anywhere anywhere
reject all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
output_rule all -- anywhere anywhere
output all -- anywhere anywhere
Chain forward (1 references)
target prot opt source destination
zone_lan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
Chain forwarding_lan (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
ACCEPT all -- 192.168.2.0/24 192.168.2.0/24
ACCEPT all -- anywhere anywhere
Chain forwarding_wan (1 references)
target prot opt source destination
Chain input (1 references)
target prot opt source destination
zone_lan all -- anywhere anywhere
zone_wan all -- anywhere anywhere
Chain input_lan (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT gre -- anywhere anywhere
Chain input_wan (1 references)
target prot opt source destination
ACCEPT tcp -- xx.xx.x.xx tcp dpt:22
lognrej all -- anywhere anywhere
Chain logndrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `IN: '
DROP all -- anywhere anywhere
Chain lognrej (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `IN: '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain output (1 references)
target prot opt source destination
zone_lan_ACCEPT all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
Chain output_rule (1 references)
target prot opt source destination
ACCEPT gre -- anywhere anywhere
Chain reject (5 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all -- anywhere anywhere
Chain zone_lan (1 references)
target prot opt source destination
input_lan all -- anywhere anywhere
zone_lan_ACCEPT all -- anywhere anywhere
Chain zone_lan_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_lan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_lan_MSSFIX (0 references)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_lan_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
zone_wan_MSSFIX all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
forwarding_lan all -- anywhere anywhere
zone_lan_REJECT all -- anywhere anywhere
Chain zone_wan (1 references)
target prot opt source destination
input_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere
Chain zone_wan_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_wan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_wan_MSSFIX (1 references)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_wan_REJECT (2 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_wan_forward (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.2.x tcp dpt:22
forwarding_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere

Post #14

dninja

29 Nov 2009, 22:06

I'm away at the moment so don't have access to the device to grab anything but will do when I get back next week.

The basic setup is eth0.0 and 0.1 are bridged and the device is just acting as an invisible pass through on a small segment of the network.

I've removed all iptables rules then added the normal transparent proxy rule.

Post #15

kupesoft

30 Nov 2009, 22:08

morphix: my rules from above aren't in there and you haven't added your firewall config.

dninja: okay