Re: rewriting source and destination of local packets
also sprach Phil Dyer [EMAIL PROTECTED] [2005.03.28.0041 +0200]: Martin, if/when you do find a solution, I hope you'll summarize to the list. I find this problem quite interesting... Certainly. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! people with narrow minds usually have broad tongues. signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach David Mandelberg [EMAIL PROTECTED] [2005.03.27.1617 +0200]: What about allowing all connections with squid's acls and using iptables to limit it to localhost? This is certainly the other possibility, but it's one I do not like a lot, maybe for aestethic reasons... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! windoze nt crashed. i am the blue screen of death. no one hears your screams. signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach Arnt Karlsen [EMAIL PROTECTED] [2005.03.27.0439 +0200]: ..a weird set of details from which I couldn't make out any kinda sense of your overall purpose, as in ok, you told me _how_ you wanna do it, but _what_ are you trying to do, and _why_?. [...] ..now we're talking. ;o) Communication stategy: Try explain _what_ you're trying to do, and _why_, like you would to some new date's sceptical grandma. I think you should re-read this thread from the beginning. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! convictions are more dangerous enemies of truth than lies. - friedrich nietzsche signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
is it possible to rewrite both, source and destination socket in locally generated, outgoing packets, *before* a routing decision is made? ..now we're talking. ;o) Communication stategy: Try explain _what_ you're trying to do, and _why_, Martin's question has yet to be answered. I find his question clear and concise. Why? Why not... Martin - perhaps your answer is no, wish I were more helpful. A few bytes in a packet traversing a box should not be so complicated to toy with.. Any good at coding? Best of luck, Ross -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rewriting source and destination of local packets
On Sun, 27 Mar 2005 22:59:50 +0930, Ross wrote in message [EMAIL PROTECTED]: is it possible to rewrite both, source and destination socket in locally generated, outgoing packets, *before* a routing decision is made? ..now we're talking. ;o) Communication stategy: Try explain _what_ you're trying to do, and _why_, Martin's question has yet to be answered. I find his question clear and concise. Why? Why not... ..ok, tell me how you understand his question. Martin - perhaps your answer is no, wish I were more helpful. A few bytes in a packet traversing a box should not be so complicated to toy with.. Any good at coding? Best of luck, Ross ..yeah, he might have to write new code to do what he wanna do.. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;o) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rewriting source and destination of local packets
On Sun, Mar 27, 2005 at 10:59:50PM +0930, Ross Goble wrote: Martin's question has yet to be answered. I find his question clear and concise. perhaps one could mark with iptables the local packets to be source natted and then source nat the marked packets with ip route -- Chi usa software non libero avvelena anche te. Digli di smettere. Informatica=arsenico: minime dosi in rari casi patologici, altrimenti letale. Informatica=bomba: intelligente solo per gli stupidi che ci credono. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rewriting source and destination of local packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NN_il_Confusionario wrote: perhaps one could mark with iptables the local packets to be source natted and then source nat the marked packets with ip route I don't think that iptables alone can do it. I'm thinking this is the road to look down, iptables + ip route, if it can be done at all... - -- /phil -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) iD8DBQFCRzPlGbd/rBLcaFwRArO4AKCthkZcK3QKg8eocsLAg1y7IAtEXwCgsRce au2Qsh8Opon0iEBSW6GYQT0= =oYaf -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rewriting source and destination of local packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Phil Dyer wrote: NN_il_Confusionario wrote: perhaps one could mark with iptables the local packets to be source natted and then source nat the marked packets with ip route I don't think that iptables alone can do it. I'm thinking this is the road to look down, iptables + ip route, if it can be done at all... Martin, if/when you do find a solution, I hope you'll summarize to the list. I find this problem quite interesting... - -- /phil -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) iD8DBQFCRzayGbd/rBLcaFwRAkp3AJ4t02wX8iZXcXmk99dweIaT8IFYnwCbBQMM g4TEacMAOegwdog7lOtCR64= =EE2H -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rewriting source and destination of local packets
Phil Dyer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Phil Dyer wrote: NN_il_Confusionario wrote: perhaps one could mark with iptables the local packets to be source natted and then source nat the marked packets with ip route I don't think that iptables alone can do it. I'm thinking this is the road to look down, iptables + ip route, if it can be done at all... Martin, if/when you do find a solution, I hope you'll summarize to the list. I find this problem quite interesting... I'm not sure this would work, but what about setting the dynamic ip address to an environment variable. Write the iptables rule to reference the environment variable and then whenever the ipaddress changes, update the environment variable. Alternatively, you could have a script that deletes and re-adds the iptable rule for the dynamic address every time the lease is renewed. lurker, Brian D. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rewriting source and destination of local packets
On Sat, 26 Mar 2005 16:29:43 +0100, martin wrote in message [EMAIL PROTECTED]: also sprach Arnt Karlsen [EMAIL PROTECTED] [2005.03.24.2014 +0100]: ..having re-read this thread all the way from your Message-ID: [EMAIL PROTECTED], I _lost_ you. ..is this some kinda paid research you're doing for Microsoft??? Yeah, sure. I am a secret M$ agent trying to improve MS Proxy Server 1.0 for the scheduled release in 2006^W9. .. ;o) I am not sure what problems you are having understanding the challenge at hand. ..a weird set of details from which I couldn't make out any kinda sense of your overall purpose, as in ok, you told me _how_ you wanna do it, but _what_ are you trying to do, and _why_?. also sprach David Mandelberg [EMAIL PROTECTED] [2005.03.25.1730 +0100]: This works. Problem is that the packets arriving at 3128 have the dynamic external IP as source, when they should have 127.0.0.1. Is there a problem with that? Yes. As stated multiple times: it breaks squid access control. ..like here. When a program under linux tries to contact an address that's used by one of the machine's interfaces, the traffic is sent localy and never goes to that interface. ... fwiw, any TCP/IP stack does this. Using SNAT would probably break the http client because it would send using the world ip and therefore wouldn't be listening on 127.0.0.1 for the reply from squid. What? Maybe we should just forget the details and someone can give me a clear answer to: is it possible to rewrite both, source and destination socket in locally generated, outgoing packets, *before* a routing decision is made? ..now we're talking. ;o) Communication stategy: Try explain _what_ you're trying to do, and _why_, like you would to some new date's sceptical grandma. ..in german too, these 2 languages are different enough structurally that I'm guessing you may have a clear idea of what you wanna do, but stumble into some subtle trap neither of us sees before you try the grandma stunt. ..and preliminarily, yeah, you can do a lot of wild ass stunts with squid and netfilter code, but I still don't know whether that actually answers your questions. ..on challenges, remember the facts in the Coffee-Howto are products of some geeks who mistook the previous set of facts for a challenge, there _are_ easier ways to get coffee. ;o) -- ..med vennlig hilsen = with Kind Regards from Arnt... ;o) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rewriting source and destination of local packets
El Miércoles, 23 de Marzo de 2005 17:39, martin f krafft escribió: also sprach Dave Ewart [EMAIL PROTECTED] [2005.03.23.1709 +0100]: acl thishost 1.2.3.4/255.255.255.255 (or whatever it's public IP is - I don't have the It's a dynamic IP. So short of script-editing squid.conf, iptables is the only way. Are you trying to do transparent proxy on a router/gateway with dynamic ip on the public interface?, it's also you client's ip dynamic? Best regards
Re: rewriting source and destination of local packets
also sprach Raúl Alexis Betancort Santana [EMAIL PROTECTED] [2005.03.24.0948 +0100]: Are you trying to do transparent proxy on a router/gateway with dynamic ip on the public interface?, it's also you client's ip dynamic? local packets means: packets generated on the machine running squid itself. no clients involved. Maybe this is clear: (nat table) -A OUTPUT -o world -p tcp --dport 80 -j redirect-local-squid -A redirect-local-squid -m owner --gid-owner 13 -j ACCEPT -A redirect-local-squid -p tcp -j REDIRECT --to-port 3128 This works. Problem is that the packets arriving at 3128 have the dynamic external IP as source, when they should have 127.0.0.1. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! the early bird may get the worm, but the second mouse gets the cheese in the trap. signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
On Thu, 24 Mar 2005 11:26:44 +0100, martin wrote in message [EMAIL PROTECTED]: also sprach Ral Alexis Betancort Santana [EMAIL PROTECTED] [2005.03.24.0948 +0100]: Are you trying to do transparent proxy on a router/gateway with dynamic ip on the public interface?, it's also you client's ip dynamic? local packets means: packets generated on the machine running squid itself. no clients involved. Maybe this is clear: (nat table) -A OUTPUT -o world -p tcp --dport 80 -j redirect-local-squid -A redirect-local-squid -m owner --gid-owner 13 -j ACCEPT -A redirect-local-squid -p tcp -j REDIRECT --to-port 3128 This works. Problem is that the packets arriving at 3128 have the dynamic external IP as source, when they should have 127.0.0.1. ..having re-read this thread all the way from your Message-ID: [EMAIL PROTECTED], I _lost_ you. ..is this some kinda paid research you're doing for Microsoft??? -- ..med vennlig hilsen = with Kind Regards from Arnt... ;o) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rewriting source and destination of local packets
On Wednesday 23 March 2005 11:06, martin f krafft wrote: I want to rewrite source and destination sockets of locally generated packets. Specifically, packets with the following pair 1.2.3.4:12345 - 8.7.6.5:80 should be rewritten as 127.0.0.1:12345 - 127.0.0.1:3128 Is it possible to achieve this with iptables? I can do the destination rewriting just fine (using REDIRECT in the OUTPUT chain), but to rewrite the source, I need to use SNAT (I think), which is only valid in POSTROUTING, and by that point in time it's too late. try to fwmark the packages when REDIRECTing and use the mark on POSTROUTING to SNAT too. Just off the top of my head. Regards, David -- - hallo... wie gehts heute? - *hust* gut *rotz* *keuch* - gott sei dank kommunizieren wir ber ein septisches medium ;) -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15
Re: rewriting source and destination of local packets
On Wednesday, 23.03.2005 at 11:06 +0100, martin f krafft wrote: I want to rewrite source and destination sockets of locally generated packets. Specifically, packets with the following pair 1.2.3.4:12345 - 8.7.6.5:80 should be rewritten as 127.0.0.1:12345 - 127.0.0.1:3128 Is it possible to achieve this with iptables? I can do the destination rewriting just fine (using REDIRECT in the OUTPUT chain), but to rewrite the source, I need to use SNAT (I think), which is only valid in POSTROUTING, and by that point in time it's too late. Knowing your motivation might be useful ... why do you want to do this? Dave. -- Please don't CC me on list messages! ... Dave Ewart - [EMAIL PROTECTED] - jabber: [EMAIL PROTECTED] All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92 signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach David Schmitt [EMAIL PROTECTED] [2005.03.23.1222 +0100]: try to fwmark the packages when REDIRECTing and use the mark on POSTROUTING to SNAT too. As I said, POSTROUTING is too late. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! during the voyage of life, remember to keep an eye out for a fair wind; batten down during a storm; hail all passing ships; and fly your colours proudly! signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach Dave Ewart [EMAIL PROTECTED] [2005.03.23.1301 +0100]: Knowing your motivation might be useful ... why do you want to do this? Have squid transparently proxy connections made by the local machine... without having to configure every single HTTP client with proxy settings. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! der beruf ist eine schutzwehr, hinter welche man sich erlaubterweise zurückziehen kann, wenn bedenken und sorgen allgemeiner art einen anfallen. - friedrich nietzsche signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
On Wednesday 23 March 2005 14:26, martin f krafft wrote: Hi all, Have squid transparently proxy connections made by the local machine... without having to configure every single HTTP client with proxy settings. Using firehol + transparent_proxy directive is completly transparent here for me (no need to change anything on clients) http://firehol.sourceforge.net/commands.html?#transparent_proxy Martin you should try firehol and then you will never do filtering rules without it :) It amazing. http://packages.debian.org/testing/net/firehol Cheers -- Igor Genibel Non bene pro toto libertas venditur auro Freedom is not sold for all the gold in the world. Dubrovnik motto pgpa8rsau1pFs.pgp Description: PGP signature
Re: rewriting source and destination of local packets
also sprach Igor Genibel [EMAIL PROTECTED] [2005.03.23.1533 +0100]: Using firehol + transparent_proxy directive is completly transparent here for me (no need to change anything on clients) Does it also work for local connections on the squid machine itself? Try it: apt-get install libwww-perl HEAD debian.org | grep -q '^X-Cache' echo works fine. Martin you should try firehol and then you will never do filtering rules without it :) It amazing. Not for me. I understand iptables and prefer to use it directly, rather than through a wizard for the same reason that I prefer Debian over other distros. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! the pure and simple truth is rarely pure and never simple. -- oscar wilde signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
On Wednesday, 23.03.2005 at 14:26 +0100, martin f krafft wrote: also sprach Dave Ewart [EMAIL PROTECTED] [2005.03.23.1301 +0100]: Knowing your motivation might be useful ... why do you want to do this? Have squid transparently proxy connections made by the local machine... without having to configure every single HTTP client with proxy settings. I don't quite understand why you want to change the *source* address too, in this situation. It seems like you trying to SNAT the machines interface IP address to 127.0.0.1? Why? Dave. -- Please don't CC me on list messages! ... Dave Ewart - [EMAIL PROTECTED] - jabber: [EMAIL PROTECTED] All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92 signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
On Wednesday 23 March 2005 15:56, martin f krafft wrote: also sprach Igor Genibel [EMAIL PROTECTED] [2005.03.23.1533 +0100]: Using firehol + transparent_proxy directive is completly transparent here for me (no need to change anything on clients) Does it also work for local connections on the squid machine itself? Try it: apt-get install libwww-perl HEAD debian.org | grep -q '^X-Cache' echo works fine. Yes, it doesn't work but I think it is quite normal for a normal use of a firewall/proxy where no user have to connect on and do http requests :) Martin you should try firehol and then you will never do filtering rules without it :) It amazing. Not for me. I understand iptables and prefer to use it directly, rather than through a wizard for the same reason that I prefer Debian over other distros. I understant also iptables but for me it is time wasting redoing rules from scratch every time I have to set up filtering rules. And it is also why I use debian for all this pieces of software that make me feel better and allow me to concentrate myself on other problem :) Everyone can find is way of computing with Debian :) -- Igor Genibel Non bene pro toto libertas venditur auro Freedom is not sold for all the gold in the world. Dubrovnik motto pgphj3QIOLOM1.pgp Description: PGP signature
Re: rewriting source and destination of local packets
also sprach Igor Genibel [EMAIL PROTECTED] [2005.03.23.1615 +0100]: Yes, it doesn't work but I think it is quite normal for a normal use of a firewall/proxy where no user have to connect on and do http requests :) I surely do not need a whole other layer for firewall building to set up transparent proxying for clients. Note that my question was about local packets in the first place. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! ah, but a man's reach should exceed his grasp, or what's a heaven for? -- robert browning signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach Dave Ewart [EMAIL PROTECTED] [2005.03.23.1602 +0100]: I don't quite understand why you want to change the *source* address too, in this situation. It seems like you trying to SNAT the machines interface IP address to 127.0.0.1? Why? So I can restrict squid to source IP 127.0.0.1, rather than having to `http_access allow all`, which is surely not what I want. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! * Overfiend came out of the womb complaining. -- #debian-devel signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach Dave Ewart [EMAIL PROTECTED] [2005.03.23.1709 +0100]: acl thishost 1.2.3.4/255.255.255.255 (or whatever it's public IP is - I don't have the It's a dynamic IP. So short of script-editing squid.conf, iptables is the only way. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! alles sollte so einfach, wie möglich gemacht sein, aber nicht einfacher. -- albert einstein signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
On Wednesday, 23.03.2005 at 18:39 +0100, martin f krafft wrote: also sprach Dave Ewart [EMAIL PROTECTED] [2005.03.23.1709 +0100]: acl thishost 1.2.3.4/255.255.255.255 (or whatever it's public IP is - I don't have the It's a dynamic IP. So short of script-editing squid.conf, iptables is the only way. I'm still convinced that's the wrong way to do it, even with a dynamic IP. Maybe someone else will chip in and suggest an alternative ... Dave. -- Please don't CC me on list messages! ... Dave Ewart - [EMAIL PROTECTED] - jabber: [EMAIL PROTECTED] All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92 signature.asc Description: Digital signature