I am currently (and unsuccessfully) trying to set up tproxy on my firewall. I would like to redirect specific web traffic originating from our LAN to a web server in our DMZ. In other words, the firewall should grab outbound traffic destined for it's external ip address, port 80, and redirect it to a local web server sitting in our DMZ.

The reason I'm doing this is because ipmasqadm portfw only works for packets being forwaded. Since packets originating from the LAN destined for the firewall's external IP do not need to be forwaded (the packet remains inside the firewall), portfw never sees them. In effect, LAN users cannot access the DMZ webserver by its url.

At the firewall I have masquerading/portforwarding set up as such:

ipmasqadm portfw -a -P tcp -L $EXTERNAL_NIC_IP 80 -R $DMZ_WEB_SERVER_IP 80

This works great for requests from the internet. But not for LAN users. As a workaround, I'm trying to have the firewall's internal NIC grab outbound packets destined for port 80 of the external interface and redirect them to tproxy. I'm hoping tproxy will then pass requests to the DMZ webserver. My rules are this:

tproxy -s 81 -r nobody $WEB_SERVER 80
ipchains -A input -i $INETRNAL_INTERFACE -p tcp -d $EXTERNAL_INTERFACE_IP 80 -j REDIRECT 81

I have support for transparent proxying compiled into the kernel. I also have tproxy installed and listed in /etc/services as being 81/tcp. However, when I try to asccess the web server by its url, I get the following error message:

Forbidden
you don't have permission to access to http://(theexternal ip of my firewall) on this server

Apache/1.3.12 Server at (the hostname of my DMZ web server) Port 80

I would like to believe it's half working since the ip listed is the external ip of the firewall and the hostname and message is from Apache running on the web server. (Apache is not at all running on the firewall). I can access the web server by typing it's real IP into my brower, but not by url, since our ISP's nameservers resolve it to the firewall's external ip address.

This is my first shot at proxying. Any help would be appreciated.

[ 01 March 2001: Message edited by: ndelo ]

I've just turned on logging, and this is the error I get a connection to tproxy is attempted:

Request_NoDNS 192.168.2.1 -> http://the_external_ip_of_my_firewall

first, make sure you can type
telnet webserver_ip_address 80
and it connects fine..

i haven't really read your whole post - i'm short on time right now, but here's what i would do:

ALL of your internal lan computers should have a default gateway of your router, ie. firewall computer. so on that computer you should have all http (port 80) requests forwarded to where ever they need to be.

you might want to examine *where* you are placing your rules.. ie. the order of your rules.. because that could also be a problem as well..

sorry if i've been no help, but i gotta run =)

~kyle

Here's a better map/idea of my network. I have about 100 computers split into two subnets. About 50 on either side of an NT box acting as a router/DHCP/WINS server. All computers have their appropriate gateway which works fine. That router's gateway is my choke firewall, which leads to the DMZ, then to my linux firewall and out to the internat. Everything works fine. Internet users can reach the Web server on the DMZ fine. All LAN users can reach the internet fine, however, LAN users cannot reach the DMZ webserver since ipmasqadm portfw will not work on packets originating from the LAN. The web server's IP is registered with our ISP as being that of the firewall (We don't run DNS internally). On the internal NIC I have a ipchains rule that redirects only that web traffic from the LAN destined for the IP of the external interface on the firewall. The rules should then redirect this web traffic, and only this web traffic, to a proxy bound to a port on the internal NIC of the firewall, which I'm hoping will then fetch the web page from the DMZ webserver, using its private IP address listed in the firewall's /etc/hosts. I have the firewall set to check hosts first, then DNS. So far everything seems to be working--I think--except tproxy. The packets must make it to the tproxy port since they generate the error message listed above. The firewall is running great with this one exception. I might give squid a try. If that fails then perhaps its an issue with Apache. I don't know, but I can't imagine how it could be.

[ 02 March 2001: Message edited by: ndelo ]

I seem to be the only one replying to my own post, but that's ok by me...

Installed squid and cannot get it to connect to the site either. Squid is working as a normal proxy, so the problem must be with the ipchains ruleset, redirection, etc. Still fighting...

Ok I got it to work. :)

how? ;D

I used the ipchains redirection rules listed above, pointing them to the port that squid was running on. In squid.conf I set http_accel_host to the ip of my DMZ web server, and http_accel_port 80. I also put an entry in for the web server in /etc/hosts that resolved to the DMZ address 192.168.x.x, not the real DNS entry (just to keep squid from doing a real DNS lookup). I'm not sure that this last step was needed, since this is my first crack at squid. Actually, at this point I don't know if it was the changes to /etc/hosts or squid.conf that did the trick, but something worked. In essence, my firewall will now only proxy and redirect those packets originating from the LAN, heading to port 80 on the external nic of my firewall. Ipchains catches them on the firewall's internal NIC, passes them to the local squid port which then sends them back to the DMZ to be handled by the web server. Phewwww!!!!! If someone tells me this could have all been done with iptables, I'll cry.
:D

[ 02 March 2001: Message edited by: ndelo ]