View previous topic :: View next topic |
Author |
Message |
Falchion n00b

Joined: 18 Dec 2005 Posts: 57
|
Posted: Thu Oct 09, 2008 1:26 am Post subject: [Solved] /etc/hosts can't redirect ip to an ip |
|
|
hi,
I just reinstall my squid with --no-internal-dns option, and I was hoping to redirect a public ip to an ip in my network.
my /etc/hosts file can understand:
1.2.3.4 fakeweb.whatever
but not:
1.2.3.4 2.3.4.5
What should I do to make /etc/hosts file to understand this?
Last edited by Falchion on Fri Nov 07, 2008 3:05 am; edited 1 time in total |
|
Back to top |
|
 |
cyrillic Watchman


Joined: 19 Feb 2003 Posts: 7313 Location: Groton, Massachusetts USA
|
Posted: Thu Oct 09, 2008 3:49 am Post subject: Re: [Problem] /etc/hosts can't redirect ip to an ip |
|
|
Falchion wrote: | I was hoping to redirect a public ip to an ip in my network. |
It sounds like you are talking about NAT. A router is able to do that for you. |
|
Back to top |
|
 |
Falchion n00b

Joined: 18 Dec 2005 Posts: 57
|
Posted: Thu Oct 09, 2008 6:38 am Post subject: |
|
|
my router also serves as transparent proxy.
iptables can't control the connection coming through squid.... so I have to look for another solution other than separating them(making another router).
is there anyone that know how to patch /etc/hosts file that can help me? |
|
Back to top |
|
 |
kokoko3k n00b

Joined: 06 May 2005 Posts: 72
|
Posted: Thu Oct 09, 2008 7:05 am Post subject: |
|
|
/etc/hosts resolves hostnames, not ips, so i guess not. |
|
Back to top |
|
 |
eccerr0r Watchman

Joined: 01 Jul 2004 Posts: 7855 Location: almost Mile High in the USA
|
Posted: Fri Oct 10, 2008 12:05 am Post subject: |
|
|
sounds like you have to hack/patch squid to do this, you can't hack /etc/hosts to remap IP addresses. _________________ Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching? |
|
Back to top |
|
 |
Hu Moderator

Joined: 06 Mar 2007 Posts: 16693
|
Posted: Fri Oct 10, 2008 2:53 am Post subject: |
|
|
You may be able to use the iptables DNAT target to achieve this. Please post a description of what you are trying to achieve. |
|
Back to top |
|
 |
Falchion n00b

Joined: 18 Dec 2005 Posts: 57
|
Posted: Sat Oct 11, 2008 2:40 pm Post subject: |
|
|
Hu, DNAT is out of the option unless I add another router between tranparent proxy and WAN....
Iptables have no control whatsoever in bandwidth going directly through the squid if it's all made in one box(the firewall can't tell which packet to filter because the destination is the box itself... and it can't re-rearrange the destination once it leave squid on the other interface).... unless there's a more advanced iptables command that I can use to accomplish this?
I just want to basically redirect connection going through router/squid that leads to 2.3.4.5(WAN) ---> to be directed to 1.2.3.4(LAN).
I tried doing this:
IPTABLES -t NAT -A POSTROUTING -o eth1 -d 2.3.4.5 -j DNAT --to 1.2.3.4
but it return "Invalid Argument."
if I tried PREROUTING.... can't use -o with it.
If I tried -i eth0... it doesn't filter anything because the -d is the box itself
eccerr0r, can you point me to the right direction of how to patch squid to accomplish this? |
|
Back to top |
|
 |
Hu Moderator

Joined: 06 Mar 2007 Posts: 16693
|
Posted: Sat Oct 11, 2008 9:26 pm Post subject: |
|
|
DNAT is only valid in the PREROUTING and OUTPUT chains, according to man iptables. Use REDIRECT in the PREROUTING chain to transparently intercept traffic routed through the box and redirect it to the box itself. Use DNAT to redirect an outbound connection from the box.
Your description does not explain how you expect traffic shaping to fit into this, or where you want to accomplish it. |
|
Back to top |
|
 |
Falchion n00b

Joined: 18 Dec 2005 Posts: 57
|
Posted: Sun Oct 12, 2008 6:50 am Post subject: |
|
|
Hu wrote: |
Your description does not explain how you expect traffic shaping to fit into this, or where you want to accomplish it. |
Iptables has limit, and as far as I know.. it can't traffic shape any connection going directly in or out transparent proxy if both routing & squid made in the same box
But anyway, Let me try to explain it because maybe you know something that I don't.
Client(1.2.3.5) ----------> (1.2.3.1)<eth0>Router<eth1>(2.2.2.2) ----------> 2.3.4.5
FakeServer(1.2.3.4) --->
OK, my only purpose is this:
client 1.2.3.5 connect to squid in 1.2.3.1:3128 going to 2.3.4.5 normally, but I want to redirect it to 1.2.3.4
Originally, I tried:
iptables -t nat -A PREROUTING -d 2.3.4.5 -j DNAT --to 1.2.3.4
nothing happened, so I tried doing:
iptables -t nat -A PREROUTING -d 2.3.4.5 -p tcp --dport 3128 -j DNAT --to 1.2.3.4
iptables -t nat -A PREROUTING -d 2.3.4.5 -p tcp --dport 80 -j DNAT --to 1.2.3.4
again, nothing happen.
Squid already intercept any PREROUTING on port 3128 or 80.
so I tried to mess around the OUTPUT...
iptables -A OUTPUT -t nat -o eth1 -d 2.3.4.5 -j DNAT --to-destination 1.2.3.4
also doesn't filter anything....
squid apparently override this rule so I took conclusion that Iptables can't do anything in this situation.
I hope someone can help me on this.
and please, if your answer is "just add another router" or "separate the squid and routing"... just don't replay to this thread.
Ty. |
|
Back to top |
|
 |
Hu Moderator

Joined: 06 Mar 2007 Posts: 16693
|
Posted: Sun Oct 12, 2008 5:02 pm Post subject: |
|
|
It is a little strange to try to transparently intercept a connection, run it through an HTTP proxy, traffic shape it, and transparently redirect the outbound traffic again - whether using one box or several. However, from your description, I do not see anything that I think indicates that it should not work. I have tried each of the pieces individually on various occasions and they work fine.
What is the output of (set -x ; iptables-save -c | nl ; tc -s qdisc show | nl ; tc -s class show | nl ; tc -s filter show| nl)? |
|
Back to top |
|
 |
Falchion n00b

Joined: 18 Dec 2005 Posts: 57
|
Posted: Mon Oct 13, 2008 12:24 am Post subject: |
|
|
Hu, just tell me what you have in mind to accomplish this.
I'll work it and let you know if it's working or not.
Seeing my iptables output atm with give you nothing that you needed to know in order to answer my question. Quit wasting both of our time. It's either you have the answer or you don't.
I already told you what I did and the reason why it didn't work. I also told you what I need to accomplish. I think we should stop at it until somebody comes up with the answer other than the one I already know. |
|
Back to top |
|
 |
think4urs11 Bodhisattva


Joined: 25 Jun 2003 Posts: 6659 Location: above the cloud
|
Posted: Mon Oct 13, 2008 12:39 am Post subject: |
|
|
Already tried to simply set a host route on your squid box for the external ip pointing to your internal webserver? _________________ Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
Back to top |
|
 |
Hu Moderator

Joined: 06 Mar 2007 Posts: 16693
|
Posted: Mon Oct 13, 2008 3:15 am Post subject: |
|
|
Falchion wrote: | Hu, just tell me what you have in mind to accomplish this.
I'll work it and let you know if it's working or not.
Seeing my iptables output atm with give you nothing that you needed to know in order to answer my question. Quit wasting both of our time. It's either you have the answer or you don't.
I already told you what I did and the reason why it didn't work. I also told you what I need to accomplish. I think we should stop at it until somebody comes up with the answer other than the one I already know. |
If I had a ready made answer, I would have given it to you. I wanted that output so that I could confirm you did not have other iptables rules interfering with what you are trying. As I said, I have in the past done each of the things you describe, albeit never all at once. I had no trouble with it. Therefore, either it is a problem with doing them all at once or you are doing it wrong. It is quicker and easier for me to check for negative interactions from other rules than for me to build a test setup to validate that combining all the pieces in one system works. I have already given you everything you need for a working system, if it will work at all and if you do not have other rules causing negative side effects. |
|
Back to top |
|
 |
Falchion n00b

Joined: 18 Dec 2005 Posts: 57
|
Posted: Tue Oct 14, 2008 12:14 am Post subject: |
|
|
Ok, I'm so sorry...
I forgot to mention that all my clients are windows base clients... and they all have their proxy set with port 3128 going to my router.
That's why they ignore the rule and went straight to squid. Unfortunately, I have to leave the clients' setting as it is and now I have to look for other solution other than the one we already discussed
Strangely enough, /etc/hosts affects the traffic in this situation, that's why I went straight asking of how to patch /etc/hosts file.
Is there a way maybe for iptables to intercept this traffic if the clients already set that way? |
|
Back to top |
|
 |
think4urs11 Bodhisattva


Joined: 25 Jun 2003 Posts: 6659 Location: above the cloud
|
Posted: Tue Oct 14, 2008 12:31 am Post subject: |
|
|
Falchion wrote: | I forgot to mention that all my clients are windows base clients... and they all have their proxy set with port 3128 going to my router. |
so your clients have a explicit proxy configuration but your proxy is setup as a transparent one? Thats begging for trouble, asking for pain...
Whats the reason for this strange setup instead of configuring the proxy machine as a explicit proxy too?
Anyhow, did you already try to work with host routes on your proxy to the internal 'fake' webserver? _________________ Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
Back to top |
|
 |
Falchion n00b

Joined: 18 Dec 2005 Posts: 57
|
Posted: Tue Oct 14, 2008 4:30 am Post subject: |
|
|
Think4UrS11 wrote: | Falchion wrote: | I forgot to mention that all my clients are windows base clients... and they all have their proxy set with port 3128 going to my router. |
so your clients have a explicit proxy configuration but your proxy is setup as a transparent one? Thats begging for trouble, asking for pain...
Whats the reason for this strange setup instead of configuring the proxy machine as a explicit proxy too?
Anyhow, did you already try to work with host routes on your proxy to the internal 'fake' webserver? |
It shouldn't do much differences if I change the way squid work since the client went through port 3128 anyway, right?
Yeah, it's a weird configuration, but I have my reason of doing so, and it just have to be done that way from the client side.
I don't get what you mean by working on my host route?
are you talking about just adding it in /etc/hosts file or something else? |
|
Back to top |
|
 |
think4urs11 Bodhisattva


Joined: 25 Jun 2003 Posts: 6659 Location: above the cloud
|
Posted: Tue Oct 14, 2008 8:14 pm Post subject: |
|
|
i mean that you try to set a dedicated route on your squid box to the destination server you want to 'fake'.
Something like route add -host 2.3.4.5 1.2.3.4
Had something similar done some time ago (on cisco equipment though) to provide a smooth transition phase for clients connecting to servers by abandoned ip addresses in our network.
And it makes a difference - in your setup the client browsers expect to work via a dedicated proxy but are then more or less forced to work via a transparent one - not sure if that scenario is really supported by the browsers. _________________ Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
Back to top |
|
 |
Falchion n00b

Joined: 18 Dec 2005 Posts: 57
|
Posted: Wed Oct 15, 2008 1:17 am Post subject: |
|
|
Think4UrS11 wrote: | i mean that you try to set a dedicated route on your squid box to the destination server you want to 'fake'.
Something like route add -host 2.3.4.5 1.2.3.4
Had something similar done some time ago (on cisco equipment though) to provide a smooth transition phase for clients connecting to servers by abandoned ip addresses in our network.
And it makes a difference - in your setup the client browsers expect to work via a dedicated proxy but are then more or less forced to work via a transparent one - not sure if that scenario is really supported by the browsers. |
Ok, I erased the transparent method in my squid. I was just worried because sometimes BIOS got resetted and the proxy setting in the clients changed back to default setting...
Still tho, any attempt to change routing by modifying iptables gives no effect whatsoever.
I don't really know how that "route add -host" works. So I tried doing this, I hope this is the right way:
I have two ISP in my network, and I actually have another gentoo router set up to connect to the other ISP. So I tried doing route add -host 2.3.4.5 gw 192.168.0.1(to my other router)...
and doing:
iptables -t nat -A PREROUTING -d 2.3.4.5 -j DNAT --to 1.2.3.4(in that router)
but it seems that it's ignoring this rule too.
P.S: I was thinking about what you said of how I have an explicit setting for my clients so I did some test on it, and it seems that setting up the proxy setting in windows base client complicates the way clients connects to the internet. I tried adding loopback adapter(within the client itself) to mirror the fake server but it won't work unless I change the proxy setting into "direct connection."
I guess if I really going to keep my clients' setting this way, I have to wait until someone show me how to modify squid or /etc/hosts file to accomplish this.
AHHHHHHH, I don't like where this is going  |
|
Back to top |
|
 |
eccerr0r Watchman

Joined: 01 Jul 2004 Posts: 7855 Location: almost Mile High in the USA
|
Posted: Wed Oct 15, 2008 4:13 pm Post subject: |
|
|
The thing is about using squid is that squid is proxying your requests. So on your squid/router box, you need to route away any packets destined... so the NAT table has nothing to do with what you want to do.
I'm no expert on iptables, but what it sounds like is that you need to muck with your regular routing table, not NAT routing table. Which means that all connections from that box to the rerouted address, whether from squid or not, get rerouted. If you don't want that to happen, you have to hack squid to do IP address translation. _________________ Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching? |
|
Back to top |
|
 |
Falchion n00b

Joined: 18 Dec 2005 Posts: 57
|
Posted: Thu Oct 16, 2008 5:29 am Post subject: |
|
|
eccerr0r wrote: | The thing is about using squid is that squid is proxying your requests. So on your squid/router box, you need to route away any packets destined... so the NAT table has nothing to do with what you want to do.
I'm no expert on iptables, but what it sounds like is that you need to muck with your regular routing table, not NAT routing table. Which means that all connections from that box to the rerouted address, whether from squid or not, get rerouted. If you don't want that to happen, you have to hack squid to do IP address translation. |
Ok, this is exactly what I've been looking for,
but I don't know where to start
How do I hack squid to do IP address translation? |
|
Back to top |
|
 |
think4urs11 Bodhisattva


Joined: 25 Jun 2003 Posts: 6659 Location: above the cloud
|
Posted: Thu Oct 16, 2008 7:01 am Post subject: |
|
|
http://wiki.squid-cache.org/SquidFaq/SquidRedirectors _________________ Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
Back to top |
|
 |
Falchion n00b

Joined: 18 Dec 2005 Posts: 57
|
Posted: Fri Oct 17, 2008 12:14 am Post subject: |
|
|
Think4UrS11 wrote: | http://wiki.squid-cache.org/SquidFaq/SquidRedirectors |
Thank you so much!!
I hope I can do this smoothly. |
|
Back to top |
|
 |
|