On Thu, Mar 30, 2000 at 05:55:08PM +0530, Differentiated Software Solutions Pvt. Ltd.
wrote:
> 1. What is IP Masquerading. How is this related to Transparent proxy ??
> 2. What is the difference between transparent proxy and squid as a proxy.
> 3. Even after setting up IP Masquerading should we run squid ??
A well-written answer to all 3 questions above is part of the IP
chains HOWTO:
http://www.rustcorp.com/linux/ipchains/HOWTO-3.html
(I know you said you read it, but you may want to re-read that
section very carefully. It *really* does explain the differences
very nicely, with 3 scenarios).
Anyway, I'll try... In the following, "you" or "your computer"
means a client machine that is behind the firewall/gateway.
Scene 1 - The most restrictive: Squid proxy only.
In this scenario, your web browser is told to use the gateway's
squid port (usually 3128? I'm not sure) as a proxy. (It's in
Netscape/Preferences/Advanced).
When you do this, and ask for, say , yahoo.com, netscape does not
directly try to contact yahoo. Instead, it contacts your proxy -
which is squid on your gateway - and asks it to please go and get
yahoo for it. Squid does that, and sends it back.
This is the most restrictive because you really can't do anything
except HTTP (and perhaps anon FTP). You cant do telnet,
command-line FTP, ssh, or indeed anything else. Anything that
Netscape can't do, you cant do.
Scene 2 - much better: IP Masq
In this scenario, your machine *thinks* it can talk to any machine
on the internet. However, your machine has an IP address that is
"private" (say, 192.168.x.x), which is not addressable from
anywhere in the wide world outside.
Your routing table says your default gateway is your firewall box.
You dont set any proxies in Netscape. You ask netscape to get
yahoo.com. (Or you yourself try to telnet to some server - say
shell.yourisp.com. Or you try to FTP... whatever).
Your machine looks at the destination and decides to send it to
your default gateway.
The gateway looks at the destination address and "masquerades" the
packet. Why? If it sent the packet out as is, the return address
(it's private, remember?) will make it essentially useless - the
server on the other end will never know how to send the reply
back.
So your gateway (which does have a non-private IP address) changes
the packet headers to make it look like it's coming from itself,
and sends it to yahoo. It also makes a note of sme details about
this connection, so when the reply comes back it know what to do
with the reply.
When that reply comes back, it changes the headers once again (to
look like the destination was your box) and sends it to you.
So to all intents and purposes you are "on the internet". For
some tasks (like FTP) some extra modules may have to be "insmoded"
on the gateway (like "insmod ip_masq_ftp").
Scene 3 - not much good - transparent proxies
Transparent proxies are (IMHO) useless for your purposes.
Let's say an ISP decides to put in a caching proxy (squid again!)
on his gateway for efficiency.
This will only work if all his customers are willing to set up
this proxy in their netscape or whatever. That's a hassle; many
of them might not (even though it's in their interest, actually)
be bothered.
A transparent proxy works by detecting packets coming in from the
customers, bound for port 80 (HTTP) on some machine somewhere. It
then transparently redirects it to a local port (say, 3128). What
it has done is that it has screwed up the routing - you think your
packet is going directly to yahoo.com, but it's not.
Then squid takes over and the rest is as before.
So transparently proxy is basically a way to "force" everyone to
use a proxy whether they know it or not.
But see below...
> 4. We have windows clients using telnet to login to Linux. Now, we want to
> use the same telnet to login to servers in the US using Linux as a proxy.
> How do we do this. After we setup transparent proxy can I run telnet on
> Window PC and access any server on the net or should I logon to Linux
> machine only then can I telnet ??
You dont want transparent proxy for this - use IP Masq.
Transparent proxies need special software listening on the gateway
(like squid for HTTP) in order to work. Remember that in
transparent proxy the packet is redirected to a LOCAL port.
I am not aware of any squid-like proxies for telnet connections,
so this won't work.
-----------------------------------------------------------------------
For information on this and other Linux India mailing lists check out
http://lists.linux-india.org/
