[Solved] /etc/hosts can't redirect ip to an ip

[Falchion]

hi,
I just reinstall my squid with --no-internal-dns option, and I was hoping to redirect a public ip to an ip in my network.

my /etc/hosts file can understand:
1.2.3.4 fakeweb.whatever
but not:
1.2.3.4 2.3.4.5



What should I do to make /etc/hosts file to understand this?

[cyrillic]

I was hoping to redirect a public ip to an ip in my network.

It sounds like you are talking about NAT. A router is able to do that for you.

[Falchion]

my router also serves as transparent proxy.

iptables can't control the connection coming through squid.... so I have to look for another solution other than separating them(making another router).

is there anyone that know how to patch /etc/hosts file that can help me?

[kokoko3k]

/etc/hosts resolves hostnames, not ips, so i guess not.

[eccerr0r]

sounds like you have to hack/patch squid to do this, you can't hack /etc/hosts to remap IP addresses.

[Hu]

You may be able to use the iptables DNAT target to achieve this. Please post a description of what you are trying to achieve.

[Falchion]

Hu, DNAT is out of the option unless I add another router between tranparent proxy and WAN....

Iptables have no control whatsoever in bandwidth going directly through the squid if it's all made in one box(the firewall can't tell which packet to filter because the destination is the box itself... and it can't re-rearrange the destination once it leave squid on the other interface).... unless there's a more advanced iptables command that I can use to accomplish this?

I just want to basically redirect connection going through router/squid that leads to 2.3.4.5(WAN) ---> to be directed to 1.2.3.4(LAN).
I tried doing this:
IPTABLES -t NAT -A POSTROUTING -o eth1 -d 2.3.4.5 -j DNAT --to 1.2.3.4
but it return "Invalid Argument."
if I tried PREROUTING.... can't use -o with it.
If I tried -i eth0... it doesn't filter anything because the -d is the box itself



eccerr0r, can you point me to the right direction of how to patch squid to accomplish this?

[Hu]

DNAT is only valid in the PREROUTING and OUTPUT chains, according to man iptables. Use REDIRECT in the PREROUTING chain to transparently intercept traffic routed through the box and redirect it to the box itself. Use DNAT to redirect an outbound connection from the box.

Your description does not explain how you expect traffic shaping to fit into this, or where you want to accomplish it.

[Falchion]

Your description does not explain how you expect traffic shaping to fit into this, or where you want to accomplish it.

Iptables has limit, and as far as I know.. it can't traffic shape any connection going directly in or out transparent proxy if both routing & squid made in the same box

But anyway, Let me try to explain it because maybe you know something that I don't.

Client(1.2.3.5) ----------> (1.2.3.1)<eth0>Router<eth1>(2.2.2.2) ----------> 2.3.4.5
FakeServer(1.2.3.4) --->

OK, my only purpose is this:
client 1.2.3.5 connect to squid in 1.2.3.1:3128 going to 2.3.4.5 normally, but I want to redirect it to 1.2.3.4

Originally, I tried:
iptables -t nat -A PREROUTING -d 2.3.4.5 -j DNAT --to 1.2.3.4
nothing happened, so I tried doing:
iptables -t nat -A PREROUTING -d 2.3.4.5 -p tcp --dport 3128 -j DNAT --to 1.2.3.4
iptables -t nat -A PREROUTING -d 2.3.4.5 -p tcp --dport 80 -j DNAT --to 1.2.3.4
again, nothing happen.
Squid already intercept any PREROUTING on port 3128 or 80.

so I tried to mess around the OUTPUT...
iptables -A OUTPUT -t nat -o eth1 -d 2.3.4.5 -j DNAT --to-destination 1.2.3.4
also doesn't filter anything....
squid apparently override this rule so I took conclusion that Iptables can't do anything in this situation.

I hope someone can help me on this.
and please, if your answer is "just add another router" or "separate the squid and routing"... just don't replay to this thread.
Ty.

[Hu]

It is a little strange to try to transparently intercept a connection, run it through an HTTP proxy, traffic shape it, and transparently redirect the outbound traffic again - whether using one box or several. However, from your description, I do not see anything that I think indicates that it should not work. I have tried each of the pieces individually on various occasions and they work fine.

What is the output of (set -x ; iptables-save -c | nl ; tc -s qdisc show | nl ; tc -s class show | nl ; tc -s filter show| nl)?

[Falchion]

Hu, just tell me what you have in mind to accomplish this.
I'll work it and let you know if it's working or not.

Seeing my iptables output atm with give you nothing that you needed to know in order to answer my question. Quit wasting both of our time. It's either you have the answer or you don't.

I already told you what I did and the reason why it didn't work. I also told you what I need to accomplish. I think we should stop at it until somebody comes up with the answer other than the one I already know.

[think4urs11]

Already tried to simply set a host route on your squid box for the external ip pointing to your internal webserver?

[Hu]

Hu, just tell me what you have in mind to accomplish this.
I'll work it and let you know if it's working or not.

Seeing my iptables output atm with give you nothing that you needed to know in order to answer my question. Quit wasting both of our time. It's either you have the answer or you don't.

I already told you what I did and the reason why it didn't work. I also told you what I need to accomplish. I think we should stop at it until somebody comes up with the answer other than the one I already know.

If I had a ready made answer, I would have given it to you. I wanted that output so that I could confirm you did not have other iptables rules interfering with what you are trying. As I said, I have in the past done each of the things you describe, albeit never all at once. I had no trouble with it. Therefore, either it is a problem with doing them all at once or you are doing it wrong. It is quicker and easier for me to check for negative interactions from other rules than for me to build a test setup to validate that combining all the pieces in one system works. I have already given you everything you need for a working system, if it will work at all and if you do not have other rules causing negative side effects.

[Falchion]

Ok, I'm so sorry...
I forgot to mention that all my clients are windows base clients... and they all have their proxy set with port 3128 going to my router.

That's why they ignore the rule and went straight to squid. Unfortunately, I have to leave the clients' setting as it is and now I have to look for other solution other than the one we already discussed

Strangely enough, /etc/hosts affects the traffic in this situation, that's why I went straight asking of how to patch /etc/hosts file.

Is there a way maybe for iptables to intercept this traffic if the clients already set that way?

[think4urs11]

I forgot to mention that all my clients are windows base clients... and they all have their proxy set with port 3128 going to my router.

so your clients have a explicit proxy configuration but your proxy is setup as a transparent one? Thats begging for trouble, asking for pain...

Whats the reason for this strange setup instead of configuring the proxy machine as a explicit proxy too?
Anyhow, did you already try to work with host routes on your proxy to the internal 'fake' webserver?

[Falchion]

I forgot to mention that all my clients are windows base clients... and they all have their proxy set with port 3128 going to my router.

so your clients have a explicit proxy configuration but your proxy is setup as a transparent one? Thats begging for trouble, asking for pain...

Whats the reason for this strange setup instead of configuring the proxy machine as a explicit proxy too?
Anyhow, did you already try to work with host routes on your proxy to the internal 'fake' webserver?

It shouldn't do much differences if I change the way squid work since the client went through port 3128 anyway, right?
Yeah, it's a weird configuration, but I have my reason of doing so, and it just have to be done that way from the client side.

I don't get what you mean by working on my host route?
are you talking about just adding it in /etc/hosts file or something else?

[think4urs11]

i mean that you try to set a dedicated route on your squid box to the destination server you want to 'fake'.
Something like route add -host 2.3.4.5 1.2.3.4
Had something similar done some time ago (on cisco equipment though) to provide a smooth transition phase for clients connecting to servers by abandoned ip addresses in our network.

And it makes a difference - in your setup the client browsers expect to work via a dedicated proxy but are then more or less forced to work via a transparent one - not sure if that scenario is really supported by the browsers.

[Falchion]

i mean that you try to set a dedicated route on your squid box to the destination server you want to 'fake'.
Something like route add -host 2.3.4.5 1.2.3.4
Had something similar done some time ago (on cisco equipment though) to provide a smooth transition phase for clients connecting to servers by abandoned ip addresses in our network.

And it makes a difference - in your setup the client browsers expect to work via a dedicated proxy but are then more or less forced to work via a transparent one - not sure if that scenario is really supported by the browsers.

Ok, I erased the transparent method in my squid. I was just worried because sometimes BIOS got resetted and the proxy setting in the clients changed back to default setting...
Still tho, any attempt to change routing by modifying iptables gives no effect whatsoever.

I don't really know how that "route add -host" works. So I tried doing this, I hope this is the right way:
I have two ISP in my network, and I actually have another gentoo router set up to connect to the other ISP. So I tried doing route add -host 2.3.4.5 gw 192.168.0.1(to my other router)...
and doing:
iptables -t nat -A PREROUTING -d 2.3.4.5 -j DNAT --to 1.2.3.4(in that router)
but it seems that it's ignoring this rule too.

P.S: I was thinking about what you said of how I have an explicit setting for my clients so I did some test on it, and it seems that setting up the proxy setting in windows base client complicates the way clients connects to the internet. I tried adding loopback adapter(within the client itself) to mirror the fake server but it won't work unless I change the proxy setting into "direct connection."

I guess if I really going to keep my clients' setting this way, I have to wait until someone show me how to modify squid or /etc/hosts file to accomplish this.

AHHHHHHH, I don't like where this is going

[eccerr0r]

The thing is about using squid is that squid is proxying your requests. So on your squid/router box, you need to route away any packets destined... so the NAT table has nothing to do with what you want to do.

I'm no expert on iptables, but what it sounds like is that you need to muck with your regular routing table, not NAT routing table. Which means that all connections from that box to the rerouted address, whether from squid or not, get rerouted. If you don't want that to happen, you have to hack squid to do IP address translation.

[Falchion]

The thing is about using squid is that squid is proxying your requests. So on your squid/router box, you need to route away any packets destined... so the NAT table has nothing to do with what you want to do.

I'm no expert on iptables, but what it sounds like is that you need to muck with your regular routing table, not NAT routing table. Which means that all connections from that box to the rerouted address, whether from squid or not, get rerouted. If you don't want that to happen, you have to hack squid to do IP address translation.

Ok, this is exactly what I've been looking for,
but I don't know where to start

How do I hack squid to do IP address translation?

[think4urs11]

http://wiki.squid-cache.org/SquidFaq/SquidRedirectors

[Falchion]

http://wiki.squid-cache.org/SquidFaq/SquidRedirectors

Thank you so much!!

I hope I can do this smoothly.