transparent proxies / iptables: Mini How To by Daniel Kiracofe

Hello!

I have difficulties to understand the iptables statements in chapter 6
"Transparent Proxy to a Remote Box" of Daniel Kiracofe´s Mini-How-To
"Transparent Proxy with Linux and Squid"
(http://tldp.org/HOWTO/TransparentProxy-6.html)

As I know when packets are forwarded they are processed in the following way
(chains): PREROUTING --> FORWARD --> POSTROUTING
(http://iptables-tutorial.frozentux.n...#TRAVERSINGOFT
ABLES)

Daniel uses the following 3 iptables statements and explains them with the
following sentences:

iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j
DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j
SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p
tcp --dport 3128 -j ACCEPT

"The first one sends the packets to squid-box from iptables-box.
The second makes sure that the reply gets sent back through iptables-box,
instead of directly to the client (this is very important!).
The last one makes sure the iptables-box will forward the appropriate
packets to squid-box.
It may not be needed. YMMV."

Lets assume the following:
local-network: 192.168.1.0/24
Client-PC: 192.168.1.1/24
iptables-box (default-gateway): 192.168.1.100/24
squid-box: 192.168.1.2/24

I now want to explain how I understand it:
a) The first statement:
If the Client (192.168.1.1) wants to visit (e.g.) www.kernel.org it sends
its packet to its default-gateway (192.168.1.100).
The default-gateway changes the destination ip address to 192.168.1.2 and
destination port to 3128 so that the packet gets forwarded
to the proxy.

b) The third statements:
The packet has the destination ip address of the proxy and gets therefore
into the FORWARD chain where it has to be accepted.

c) I don´t understand the second statement:
When the packet leaves the FORWARD chain and enters the POSTROUTING chain
it gets the source ip address of the default-
gateway (192.168.1.100).
Why?

When leaving the POSTROUTING chain the packet gets forwarded to the
proxy.
The proxy opens the connection to www.kernel.org and sends the HTTP
request.
The HTTP reply gets send back to the proxy.

And now the question:
How can the proxy know that it has to send the reply to the Client
(192.168.1.1) and not to the
default-gateway (192.168.1.100). The second statement changes the source
ip address so that it looks like the packet
comes from the default-gateway.

I hope someone of you can tell me how it works.

Thanks!

Wolfi

Wolfgang Wyremba <(E-Mail Removed)> wrote:


> (http://tldp.org/HOWTO/TransparentProxy-6.html)
[...]
> Daniel uses the following 3 iptables statements and explains them with
> the following sentences:
>
> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j
> DNAT --to squid-box:3128
> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j
> SNAT --to iptables-box
> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p
> tcp --dport 3128 -j ACCEPT
>
> "The first one sends the packets to squid-box from iptables-box.
> The second makes sure that the reply gets sent back through iptables-box,
> instead of directly to the client (this is very important!).
> The last one makes sure the iptables-box will forward the appropriate
> packets to squid-box.
> It may not be needed. YMMV."
>
> Lets assume the following:
> local-network: 192.168.1.0/24
> Client-PC: 192.168.1.1/24
> iptables-box (default-gateway): 192.168.1.100/24
> squid-box: 192.168.1.2/24
>
> I now want to explain how I understand it:
> a) The first statement:
> If the Client (192.168.1.1) wants to visit (e.g.) www.kernel.org it
> sends its packet to its default-gateway (192.168.1.100).
> The default-gateway changes the destination ip address to 192.168.1.2
> and destination port to 3128 so that the packet gets forwarded
> to the proxy.
>
> b) The third statements:
> The packet has the destination ip address of the proxy and gets
> therefore into the FORWARD chain where it has to be accepted.
>
> c) I don´t understand the second statement:
> When the packet leaves the FORWARD chain and enters the POSTROUTING
> chain it gets the source ip address of the default-gateway
> (192.168.1.100).
> Why?

Because the answer to the client must be sent back via the
iptables box to the client and not directly to the client.
The answer packet need to pass the iptables box so that DNAT
can be "undone". Remember, the client wants to have the replies
coming from the IP address of www.kernel.org and from port 80
and not from the squid address and port 3128.

Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn