transparentne proxy v LAN a aj na serveri

Roman Fordinal aben na webcom.sk
Úterý Leden 11 11:05:55 CET 2005


Lubor Kacian wrote:

> Dňa Nedeľa 09 Január 2005 11:29 popoludní Roman Fordinal napísal:
>> Peter Surda wrote:
>> > Roman Fordinal wrote:
>> >>toto vsak nefunguje na localne poziadavky priamo toho stroja
>> >> (192.168.5.1) to znamena, ze ked sa mi niekto prihlasi na Xserver na
>> >> 192.168.5.1 a pouziva browser, tak packety neprechadzaju pravidlom
>> >> PREROUTING. vie mi niekto poradit ako mam zariadit aby mi toto
>> >> fungovalo?
> Preco tak zlozito cez markovanie ?
> Pozri sem:
> http://www.spinics.net/lists/netfilter/msg29380.html
> a skontroluj IP_NF_NAT_LOCAL

no neviem, pravdepodobne robim niekde chybu s IP_NF_NAT_LOCAL.
prekompiloval som kernel s touto volbou, a tak som sa rozhodol to
otestovat:

iptables -t nat -p tcp -A PREROUTING -j LOG --log-prefix "NPRE: "
iptables -t nat -p tcp -A INPUT -j LOG --log-prefix "NIN: "
iptables -t nat -p tcp -A OUTPUT -j LOG --log-prefix "NOUT: "
iptables -t nat -p tcp -A POSTROUTING -j LOG --log-prefix "NPOST: "

iptables -t mangle -p tcp -A PREROUTING -j LOG --log-prefix "MPRE: "
iptables -t mangle -p tcp -A INPUT -j LOG --log-prefix "MIN: "
iptables -t mangle -p tcp -A FORWARD -j LOG --log-prefix "MFOR: "
iptables -t mangle -p tcp -A OUTPUT -j LOG --log-prefix "MOUT: "
iptables -t mangle -p tcp -A POSTROUTING -j LOG --log-prefix "MPOST: "

iptables -t filter -p tcp -A INPUT -j LOG --log-prefix "FIN: "
iptables -t filter -p tcp -A FORWARD -j LOG --log-prefix "FFOR: "
iptables -t filter -p tcp -A OUTPUT -j LOG --log-prefix "FOUT: "


$ wget tojejednoco.tld

Jan 11 00:01:20 [kernel] MOUT: IN= OUT=ppp0 SRC=10.192.3.174
DST=212.89.236.119 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=TCP
SPT=32823 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 11 00:01:20 [kernel] MPOST: IN= OUT=ppp0 SRC=10.192.3.174
DST=212.89.236.119 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=TCP
SPT=32823 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 11 00:01:21 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=64 TOS=0x00 PREC=0x00 TTL=61 ID=27451 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK SYN URGP=0
Jan 11 00:01:21 [kernel] MOUT: IN= OUT=ppp0 SRC=10.192.3.174
DST=212.89.236.119 LEN=148 TOS=0x00 PREC=0x00 TTL=64 ID=20626 DF PROTO=TCP
SPT=32823 DPT=80 WINDOW=1460 RES=0x00 ACK PSH URGP=0
Jan 11 00:01:21 [kernel] MPOST: IN= OUT=ppp0 SRC=10.192.3.174
DST=212.89.236.119 LEN=148 TOS=0x00 PREC=0x00 TTL=64 ID=20626 DF PROTO=TCP
SPT=32823 DPT=80 WINDOW=1460 RES=0x00 ACK PSH URGP=0
Jan 11 00:01:22 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=27452 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK URGP=0
Jan 11 00:01:28 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=337 TOS=0x00 PREC=0x00 TTL=61 ID=27453 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK PSH URGP=0
Jan 11 00:01:28 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=1215 TOS=0x00 PREC=0x00 TTL=61 ID=27454 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK PSH URGP=0
Jan 11 00:01:28 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=1500 TOS=0x00 PREC=0x00 TTL=61 ID=27455 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK URGP=0
Jan 11 00:01:29 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=1500 TOS=0x00 PREC=0x00 TTL=61 ID=27456 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK PSH URGP=0
Jan 11 00:01:29 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=1500 TOS=0x00 PREC=0x00 TTL=61 ID=27457 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK URGP=0
Jan 11 00:01:29 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=1500 TOS=0x00 PREC=0x00 TTL=61 ID=27458 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK URGP=0
Jan 11 00:01:29 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=1500 TOS=0x00 PREC=0x00 TTL=61 ID=27459 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK URGP=0
Jan 11 00:01:30 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=755 TOS=0x00 PREC=0x00 TTL=61 ID=27460 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK PSH FIN URGP=0
Jan 11 00:01:31 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=27461 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK URGP=0

nemozem mat nejaku hlupost v routovacej tabulke?

bash-2.05b# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.192.67.138   *               255.255.255.255 UH    0      0        0 ppp0
192.168.5.0     *               255.255.255.0   U     0      0        0 eth0
loopback        localhost       255.0.0.0       UG    0      0        0 lo
default         10.192.67.138   0.0.0.0         UG    0      0        0 ppp0




Další informace o konferenci Linux