Tunneling server for http and https traffic

Discussion in 'Linux Networking' started by magnus.moraberg, May 21, 2009.

  1. Hi there,

    I have a linux machine which is routed via eth0 to "network A" and via
    eth1 to "networkB".

    I wish for clients in "network A" to access content on a webserver
    located in "network B".

    The protocols I wish to support are Http (80) and Https (443).

    Firewalls exist between my linux machine and networks A, and between
    my linux machine and network B.

    I have added networks A and B to my linux machine's routing table and
    I can now ping from a machine in network A to the linux machine, and
    from the linux machine to the web server on network B.

    The firewalls are configured to only accept traffic via port 80 and
    443.

    So my question is, how do I connect network A and B? I have installed
    squid on the linux machine and it is my understanding that if I
    configure it as a tunneling server, listening on ports 80 and 443,
    that this will achieve what I'm after. Is this correct?

    BTW, I am not interested in doing any kind of caching with squid. The
    version of squid I have is version 2.5.STABLE.

    At the moment the only configuring of squid that I have done is to
    have it listen on port 80. When I telnet to the linux machine on port
    80 from a machine in network A, I am receiving a squid generated web
    page.

    Any advice or suggestions are welcome,

    Thanks for your help,

    Barry
     
    magnus.moraberg, May 21, 2009
    #1
    1. Advertisements

  2. magnus.moraberg

    Tauno Voipio Guest


    You can do the requested functions without Squid by
    using iptables to allow IP forwarding for TCP ports
    80 and 443 only and disallowing others. You have to
    remember to turn IP forwarding on after setting up
    the firewall rules.

    Documentation for setting up the filters are to be
    found at <http://www.netfilter.org/>. There is more
    than you'll need.
     
    Tauno Voipio, May 21, 2009
    #2
    1. Advertisements

  3. Thanks very much for that tip! Would the following code archive what
    I'm after, ignoring the fact that it will allow all tcp ports?

    #!/bin/sh

    PATH=/usr/sbin:/sbin:/bin:/usr/bin

    #
    # delete all existing rules.
    #
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X

    # Always accept loopback traffic
    iptables -A INPUT -i lo -j ACCEPT


    # Allow established connections, and those not coming from network B
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
    iptables -A FORWARD -i eth1 -o eth0 -m state --state
    ESTABLISHED,RELATED -j ACCEPT

    # Allow outgoing connections from network A
    iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

    # Don't forward from the network b to network a
    iptables -A FORWARD -i eth1 -o eth1 -j REJECT

    # Enable routing.
    echo 1 > /proc/sys/net/ipv4/ip_forward
     
    magnus.moraberg, May 21, 2009
    #3
  4. magnus.moraberg

    Tauno Voipio Guest


    It seems to me that you have some contents of the
    chains INPUT and FORWARD mixed up.

    Please read again the definitions of the chains from
    the documents.

    I do not see how a forwarded connection could ever be
    initiated. Another problem is that you're disallowing
    return traffic from the servers to the clients. Note
    that for every TCP connection there is a flow of response
    packets which must be forwarded as well.

    Please repeat the rules you would like to have, with
    references to the Ethernet interfaces. Also, describe
    which of the packets should end up in the Linux machine
    and which to the server elsewhere.

    The general prohibition for forwarding is easiest to
    set up as the base policy of the FORWARD chain.
     
    Tauno Voipio, May 22, 2009
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.