Date: Sun, 02 Jan 2011 15:25:38 +0100 From: Damien Fleuriot <ml@my.gd> To: freebsd-pf@freebsd.org Subject: Re: transparent proxy Message-ID: <4D208AE2.6000402@my.gd> In-Reply-To: <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com> References: <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Jay, I'm not sure what you're trying to achieve here. Are you actually using proxy software at all, or only a PF redirect rule ? Are you trying to set up a FORWARD or a REVERSE proxy ? What do you use stunnel for, SSL/TLS connectivity ? On 1/2/11 5:38 AM, jay@experts-exchange.com wrote: > Folks, > > I am trying to use stunnel & pf to devise a transparent proxy, but am > unable to figure out how to do it. What I have is ext ip -> stunnel -> > http service, but the http service does not know where to route back the > packets, and remains in a sync state. > > > 00:40:28.313038 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq > 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 2027735 ecr 0], length 0 > 00:40:31.306553 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq > 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 2028035 ecr 0], length 0 > 00:40:34.506518 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq > 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 2028355 ecr 0], length 0 > 00:40:37.706528 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq > 2806128000, win 65535, options [mss 16344,sackOK,eol], length 0 > > rpminit# netstat -ln > Active Internet connections > Proto Recv-Q Send-Q Local Address Foreign Address (state) > tcp4 0 0 192.168.103.2.51218 127.0.0.1.80 SYN_SENT > tcp4 0 0 192.168.103.62.443 192.168.103.2.51218 ESTABLISHED > > > If I disable the transparent config setting the communication is works, > but http access logs show the request coming from local host. > > 00:26:53.435415 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [P.], ack 1, win > 8960, options [nop,nop,TS val 1946248 ecr 3625203070], length 6 > 00:26:53.435864 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [P.], ack 7, win > 8960, options [nop,nop,TS val 3625203735 ecr 1946248], length 44 > 00:26:53.436426 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [F.], seq 45, ack > 7, win 8960, options [nop,nop,TS val 3625203735 ecr 1946248], length 0 > 00:26:53.436463 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [.], ack 46, win > 8960, options [nop,nop,TS val 1946248 ecr 3625203735], length 0 > 00:26:53.526062 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [F.], seq 7, ack > 46, win 8960, options [nop,nop,TS val 1946257 ecr 3625203735], length 0 > 00:26:53.526112 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [.], ack 8, win > 8959, options [nop,nop,TS val 3625203744 ecr 1946257], length 0 > 00:28:03.523841 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [S], seq > 1128551040, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 1953257 ecr 0], length 0 > 00:28:03.523924 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [S.], seq > 4120370047, ack 1128551041, win 65535, options [mss 16344,nop,wscale > 3,sackOK,TS val 727165180 ecr 1953257], length 0 > 00:28:03.523942 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [.], ack 1, win > 8960, options [nop,nop,TS val 1953257 ecr 727165180], length 0 > 00:28:05.254567 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [P.], ack 1, win > 8960, options [nop,nop,TS val 1953430 ecr 727165180], length 6 > 00:28:05.254888 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [P.], ack 7, win > 8960, options [nop,nop,TS val 727165353 ecr 1953430], length 44 > 00:28:05.255194 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [F.], seq 45, ack > 7, win 8960, options [nop,nop,TS val 727165353 ecr 1953430], length 0 > 00:28:05.255234 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [.], ack 46, win > 8960, options [nop,nop,TS val 1953430 ecr 727165353], length 0 > 00:28:05.408742 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [F.], seq 7, ack > 46, win 8960, options [nop,nop,TS val 1953445 ecr 727165353], length 0 > 00:28:05.408799 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [.], ack 8, win > 8959, options [nop,nop,TS val 727165368 ecr 1953445], length 0 > 00:28:59.372253 IP 192.168.103.2.60900 > 127.0.0.1.80: Flags [S], seq > 2362825029, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 1958842 ecr 0], length 0 > 00:29:02.371384 IP 192.168.103.2.60900 > 127.0.0.1.80: Flags [S], seq > 2362825029, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 1959142 ecr 0], length 0 > > > ==> /var/log/httpd-access.log <== > 127.0.0.1 - - [01/Jan/2011:23:18:44 -0800] "GET /" 200 44 "-" "-" > 127.0.0.1 - - [01/Jan/2011:23:18:53 -0800] "GET /" 200 44 "-" "-" > 127.0.0.1 - - [01/Jan/2011:23:21:48 -0800] "GET /" 200 44 "-" "-" > > I've tried to set up a rdr rule to redirect requests from internal ip to > external port 80 to internal port 80, but no luck. > > /etc/pf.conf > > int_if="lo0" > ext_if="ed0" > > rdr on $int_if inet proto tcp from $int_if to any port 80 -> 127.0.0.1 > port 80 > > Under Linux, it is possible to set up rules to perform internal proxy > diverting thereby, "Re-write address to appear as if wrapped daemon is > connecting from the SSL client machine instead of the machine running > stunnel." See also http://www.stunnel.org/faq/stunnel.html and > http://www.stunnel.org/faq/transparent.html. > > iptables -t mangle -N DIVERT > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100 > > Is there a way to devise pf rdr rules to do the same? > > Thanks > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D208AE2.6000402>