Transparent proxy configuration problem.

I have the following:

1. A router with IP ROUTER_IP connected to my DSL ISP whose proxy is
ISP_PROXY_IP:8080
2. A SuSE Linux server with two Ethernet card :
eth0: connected to my local network 129.2.0.0/16 and has a static
IP INT_SERVER_IP
eth1: dhcp with ISP router
3. FC4,SuSE Linux and windows XP clients on my local network
129.2.0.0/16 which have static IPs and gateway set to INT_SERVER_IP.


To help my network clinets to work with transparent proxy; I run on my
Linux server the following commands:

* iptables -t nat -A PREROUTING -i eth0 -s ! ISP_PROXY_IP -p tcp
--dport 80 -j DNAT --to-destination ISP_PROXY_IP:8080
* iptables -t nat -A POSTROUTING -o eth1 -s 129.2.0.0/16 -d
ISP_PROXY_IP -j SNAT --to INT_SERVER_IP
* iptables -A FORWARD -s 129.2.0.0/16 -d ISP_PROXY_IP -i eth0 -o
eth1 -p tcp --dport 8080 -j ACCEPT


My problem is that my clients can't access internet till now.

Is there any debug way to show me the route my packets pass through in
my server firewall???

Eng. Fawzy Ibrahim wrote:
> I have the following:
>
> 1. A router with IP ROUTER_IP connected to my DSL ISP whose proxy is
> ISP_PROXY_IP:8080
> 2. A SuSE Linux server with two Ethernet card :
> eth0: connected to my local network 129.2.0.0/16 and has a static
> IP INT_SERVER_IP

You shouldn't use public addresses 129.2.0.0/16 in a local
network. Change them to 192.168.0.0./16 for example.

> eth1: dhcp with ISP router
> 3. FC4,SuSE Linux and windows XP clients on my local network
> 129.2.0.0/16 which have static IPs and gateway set to INT_SERVER_IP.
>
>
> To help my network clinets to work with transparent proxy; I run on my
> Linux server the following commands:
>
> * iptables -t nat -A PREROUTING -i eth0 -s ! ISP_PROXY_IP -p tcp
> --dport 80 -j DNAT --to-destination ISP_PROXY_IP:8080

If eth0 is for local network "-s ! ISP_PROXY_IP" should be
superfluous.

> * iptables -t nat -A POSTROUTING -o eth1 -s 129.2.0.0/16 -d
> ISP_PROXY_IP -j SNAT --to INT_SERVER_IP

You probably want to nat all outgoing connections so "-d
ISP_PROXY_IP" is also superfluous. And nat for packets outgoing
from local to ISP (or internet) with "--to INT_SERVER_IP" has no
sense. You should do it with "--to OUT_SERVER_IP", but because it
is dynamicaly assigned use "-j MASQUERADE" instead of "-j SNAT
--to ..."

> * iptables -A FORWARD -s 129.2.0.0/16 -d ISP_PROXY_IP -i eth0 -o
> eth1 -p tcp --dport 8080 -j ACCEPT

If your clients are allowed to use any other external services
than www like DNS or mail you don't need here: "-d ISP_PROXY_IP"
and "-p tcp --dport 8080". And I hope you have something like
this for responses:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

and forwarding is enabled:
echo 1 > /proc/sys/net/ipv4/ip_forward

> My problem is that my clients can't access internet till now.

Did it work before proxying?

> Is there any debug way to show me the route my packets pass through in
> my server firewall???

iptables ... -j LOG
tcpdump

Jarek P.

Thanks for your fast response.


this what i died:

1. I disabled IPv6 in both the server and my FC4 linux boxes.
2. I forgot to tell you that the default gateway of server equals
ROUTER_IP.
3. i ran the following command:
* iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
DNAT --to-destination ISP_PROXY_IP:8080
* iptables -t nat -A POSTROUTING -o eth1 -s 129.2.0.0/16 -j
MASQUERADE

4. the output of "iptables -t nat -L -n" :
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
to:ISP_PROXY_IP:8080

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
MASQUERADE all -- 129.2.0.0/16 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

5. the output of "iptables -L FORWARD -n " :
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x02 TCPMSS clamp to PMTU
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
forward_ext all -- 0.0.0.0/0 0.0.0.0/0
forward_int all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags
6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags
6 level 4 prefix `SFW2-FORWARD-ERROR '


6. the amazing thing; that from FC4 client i can ping on google.com
and make traceroute but i can't do the following:

* "traceroute google.com -p 80" : it begins to print * after line
11 but without "-p 80" it works fine.
* the browsers in clients give me the following error message:

Request Error (invalid_request)

Your request could not be processed. Request could not be handled
This could be caused by a misconfiguration, or possibly a malformed
request.

For assistance, contact your network support team.


Note: My old ISP has no proxy; so every thing was fine but my new ISP
force me to use proxy.

Eng. Fawzy Ibrahim wrote:
> Thanks for your fast response.

Sometimes it happens...

> this what i died:
>
> 1. I disabled IPv6 in both the server and my FC4 linux boxes.
> 2. I forgot to tell you that the default gateway of server equals
> ROUTER_IP.
> 3. i ran the following command:
> * iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
> DNAT --to-destination ISP_PROXY_IP:8080
> * iptables -t nat -A POSTROUTING -o eth1 -s 129.2.0.0/16 -j
> MASQUERADE
>
> 4. the output of "iptables -t nat -L -n" :

"iptables -t nat -L -n -v" would be better because you can see
interfaces info

> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
> to:ISP_PROXY_IP:8080
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

This is probably not needed.

> MASQUERADE all -- 129.2.0.0/16 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> 5. the output of "iptables -L FORWARD -n " :
> Chain FORWARD (policy DROP)
> target prot opt source destination
> TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x06/0x02 TCPMSS clamp to PMTU

It is usually needed only with ppp connections.

> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Maybe here and later you accept too much, maybe not: -v would show.

> forward_ext all -- 0.0.0.0/0 0.0.0.0/0
> forward_int all -- 0.0.0.0/0 0.0.0.0/0
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags
> 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,RELATED,ESTABLISHED
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags
> 6 level 4 prefix `SFW2-FORWARD-ERROR '
>
>
> 6. the amazing thing; that from FC4 client i can ping on google.com
> and make traceroute but i can't do the following:
>
> * "traceroute google.com -p 80" : it begins to print * after line
> 11 but without "-p 80" it works fine.
> * the browsers in clients give me the following error message:
>
> Request Error (invalid_request)
>
> Your request could not be processed. Request could not be handled
> This could be caused by a misconfiguration, or possibly a malformed
> request.
>
> For assistance, contact your network support team.
>
>
> Note: My old ISP has no proxy; so every thing was fine but my new ISP
> force me to use proxy.

If you can use other services like mail (pop3, smtp) or ftp,
maybe it's this proxy problem.

If you are not blocked by this ISP, you could try to use some
other proxy available in your country and set it directly in this
FC4 clients browser's connection options. You should also check
if entering there your ISP_PROXY_IP and port 8080 would change
something.

Maybe it would be easier to turn off firewalling while testing:
iptables -I FORWARD -j ACCEPT

Jarek P.