Redirect Incoming port 80 connections to port 8080.

Jeff Hedley jeffh at tcnetworksinc.com
Fri Jul 27 14:16:34 UTC 2007 

On 07/26/2007 04:51 PM, Jeff Hedley wrote:
> I am having a problem getting a Dansguardian + Squid transparent
> proxying system going for a client.  The following is what i want to do,
> but cannot figure out how to get it working using ipfw + natd:
> 
> 
> [Host]  -  10.0.0.150/24 - sends request to router google.com:80
>   |
>   |
>   |
>   v
> [Router]  -  10.0.0.1/24 - receives request for google.com:80 but sets
>   |          proxy server as next hop for transparent proxy purposes.
>   |        - Not transparently proxyed yet.
>   |
>   v
> [FreeBSD Proxy] - 10.0.0.2/24 - receives request for google.com:80
>   |             - request gets transparently proxied to 10.0.0.2:8080
>   |               (this is the part I don't know how to do).
>   |             - runs through Dans, then Squid.
>   |             - Squid sends request out to router again.
>   |             - Outing squid requests get NATed to 10.0.0.2 (also
>   |               don't know how to do this).
>   |
>   v
> [Router]  -  10.0.0.1/24 - receives the request for google.com again,
>   |          but request is allowed through since it's coming from
>   |          10.0.0.2.
>   |
>   v
> (interweb)
> 
> Can you tell me how I would setup the FreeBSD box to do what i want
> using ipfw and natd?
> 
Here's some more infos:

By doing a tcpdump i could see that the packets come into the FreeBSD
box like this:
> 11:54:57.763623 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:2718548697(0) win 16384 <mss 1460,nop,nop,sackOK>
> 11:54:57.763662 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:2718548697(0) win 16384 <mss 1460,nop,nop,sackOK>
> 11:54:57.763677 IP 10.0.0.2 > 10.0.0.150: icmp 36: redirect 64.233.167.147 to host 10.0.0.1
> 11:54:57.763757 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:2718548697(0) win 16384 <mss 1460,nop,nop,sackOK>
> 11:54:57.763768 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:2718548697(0) win 16384 <mss 1460,nop,nop,sackOK>
> 11:54:57.763773 IP 10.0.0.2 > 10.0.0.150: icmp 36: redirect 64.233.167.147 to host 10.0.0.1
> 11:54:57.763861 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:2718548697(0) win 16384 <mss 1460,nop,nop,sackOK>
> 11:54:57.763870 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:2718548697(0) win 16384 <mss 1460,nop,nop,sackOK>
> 11:54:57.763875 IP 10.0.0.2 > 10.0.0.150: icmp 36: redirect 64.233.167.147 to host 10.0.0.1
> 11:54:57.763964 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:2718548697(0) win 16384 <mss 1460,nop,nop,sackOK>
> 11:54:57.763974 IP 10.0.0.150.3628 > 64.233.167.147.80: S 2718548697:2718548697(0) win 16384 <mss 1460,nop,nop,sackOK>
> <snip>

I tried turning off the ICMP redirect packets by setting the following:
> sysctl -w net.inet.icmp.drop_redirect=1
> sysctl -w net.inet.icmp.log_redirect=1
> sysctl -w net.inet.ip.redirect=0
But the packet dumps don't change much:  The icmp 36 redirect lines
simply aren't there anymore.

This is the ipfw line i'm using:
> /sbin/ipfw add divert natd tcp from not 10.0.0.2 to any dst-port 80 via en0
and it seems no matter what natd command i use, nothing gets diverted to
natd:  I run natd in verbose mode and nothing ever appears on stdout
except for the following line:
> natd[2570]: Aliasing to 10.0.0.2, mtu 1500 bytes
I can forward all the natd configurations I've tried as well if anyone's
interested.

Any help you all could offer would be greatly appreciated.

-- 
Jeff Hedley
TC Networks, Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20070727/d6d0507a/signature.pgp

More information about the freebsd-questions mailing list