Monday, February 26. 2007
Short tip: Transparent local proxy with iptables and squid
I live in a dormitory where I get cheap and fast internet access, but http only through a proxy. It's a pity to set this up in all apps every time I come here and disable it again when I wanna get online somewhere else, cause there's no centralized point to do so (there are many apps out there that just ignore http_proxy env var).
Now, it wasn't possible to directly forward http requests to the dormitory proxy, because it misses some options required for that. Maybe it's possible with more iptables skills, would require http-header rewriting.
My solution was setting up a local squid, forward requests via iptables to that and configure the dormitory proxy as a parent. I found that there's a lot of documentation out there, but also lot's of outdated stuff (squid configuration options significantly changed) and stuff you won't understand if you are no proxy-guru.
Now, some lines in my squid.conf:
http_port 7777 transparent
visible_hostname 127.0.0.1
acl local src [myip]/255.255.255.255
http_access allow local
cache_peer proxy.mynetwork.com parent 3128 3130 proxy-only
First line enables all Options required to allow transparent http and sets the port to 7777 (can be anything, just shouldn't collide with any service you might run). visible_hostname is required, something that resolves to localhost. The acl and http_access lines will deny any requests from other hosts, and finally, cache_peer sets the upstream proxy (just replace proxy.mynetwork.com with whatever your network proxy is).
Beside, there's some line starting with hierarchy_stoplist, you need to comment that out, else it won't allow you to use urls with GET variables.
Now, for the iptables-part, it's pretty simple:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:7777
I've now added squid to my default runlevel, it doesn't take that long to start. My network setup scripts contain above iptables-line for the dormitory and the squid is just ignored elsewhere. One problem though I haven't debugged enough to know the cause is that sometimes it seems to be unable to deliver POST vars, e. g. the function search of php.net doesn't work.
For your info, my system is Gentoo Linux with squid 2.6.9, iptables 1.3.7 and kernel 2.6.20.
Now, it wasn't possible to directly forward http requests to the dormitory proxy, because it misses some options required for that. Maybe it's possible with more iptables skills, would require http-header rewriting.
My solution was setting up a local squid, forward requests via iptables to that and configure the dormitory proxy as a parent. I found that there's a lot of documentation out there, but also lot's of outdated stuff (squid configuration options significantly changed) and stuff you won't understand if you are no proxy-guru.
Now, some lines in my squid.conf:
http_port 7777 transparent
visible_hostname 127.0.0.1
acl local src [myip]/255.255.255.255
http_access allow local
cache_peer proxy.mynetwork.com parent 3128 3130 proxy-only
First line enables all Options required to allow transparent http and sets the port to 7777 (can be anything, just shouldn't collide with any service you might run). visible_hostname is required, something that resolves to localhost. The acl and http_access lines will deny any requests from other hosts, and finally, cache_peer sets the upstream proxy (just replace proxy.mynetwork.com with whatever your network proxy is).
Beside, there's some line starting with hierarchy_stoplist, you need to comment that out, else it won't allow you to use urls with GET variables.
Now, for the iptables-part, it's pretty simple:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:7777
I've now added squid to my default runlevel, it doesn't take that long to start. My network setup scripts contain above iptables-line for the dormitory and the squid is just ignored elsewhere. One problem though I haven't debugged enough to know the cause is that sometimes it seems to be unable to deliver POST vars, e. g. the function search of php.net doesn't work.
For your info, my system is Gentoo Linux with squid 2.6.9, iptables 1.3.7 and kernel 2.6.20.
Tales from an admin's day
We got a huge trackback spam DDoS the last days that caused our servers to be unavailable for some hours. Most probably caused by some botnet. That's really a pain, you're so defenseless against that kind of threat. Filtering them is like trying to stop ants from entering your house by closing their entrance holes.
But anyway, I decided to write some abuse-mails to the contacts of some of the source IPs. I even got ONE reply (from Neighbourhood Cable, if you're looking for an ISP in australia, have a look at them, they must be good). I also got this:
<k55k559@bora.net|/webmail/mbox5/bora.net/961/k55k559|2|204800|209715200|99999999|99999999|>:
Recipient's maiilbox is full, message returned to sender, (#5.2.2) [7mallot:(209715200), usage:(209874944) [0m
<saehym@bora.net|/webmail/mbox0/bora.net/865/saehym|2|51200|58454016|99999999|99999999|>:
Recipient's maiilbox is full, message returned to sender, (#5.2.2) [7mallot:(52428800), usage:(58474496) [0m
Now, who in the world gives IPs out to people who aren't able to configure their mailboxes? Boranet, the source of that, seems to belong to the company LG, also producing Hardware. Maybe an interesting fact when you buy your next CD burner.
But anyway, I decided to write some abuse-mails to the contacts of some of the source IPs. I even got ONE reply (from Neighbourhood Cable, if you're looking for an ISP in australia, have a look at them, they must be good). I also got this:
<k55k559@bora.net|/webmail/mbox5/bora.net/961/k55k559|2|204800|209715200|99999999|99999999|>:
Recipient's maiilbox is full, message returned to sender, (#5.2.2) [7mallot:(209715200), usage:(209874944) [0m
<saehym@bora.net|/webmail/mbox0/bora.net/865/saehym|2|51200|58454016|99999999|99999999|>:
Recipient's maiilbox is full, message returned to sender, (#5.2.2) [7mallot:(52428800), usage:(58474496) [0m
Now, who in the world gives IPs out to people who aren't able to configure their mailboxes? Boranet, the source of that, seems to belong to the company LG, also producing Hardware. Maybe an interesting fact when you buy your next CD burner.
Sunday, February 11. 2007
Best viewed with any browser?
Now, if you've been on the internet a bit longer, you may remember those sites at the end of the 90s telling you that they're »best viewed with a resolution of 1024x768 and the Microsoft Internet Explorer version 6.0". Luckily, most of those pages disappeared with the upcoming success of Mozilla Firefox and others (oh, there are still some, e. g. the cinema in my home town, but ie6 runs on wine).
As you may know, I'm a happy KDE user and have been using Konqueror as my everyday browser for some time now. Recently, I discovered more and more pages I couldn't use any more. I had to start this thing called Firefox. I don't like it, but that is not the point here.
I even noticed today that ebay has a new interface that konqueror doens't like.
This is a result of the more and more upcoming AJAX/JavaScript-stuff, which is often nice, I saw a lot of well designed web applications lately (ok, I saw a lot of crap, too). I'm not enough into JavaScript to know if it's the lack of support by Konqueror or the pages. I just hope that people will come together and find solutions for that. I remember that there was some discussion about using webcore (the khtml-fork used by apples safari) for konqueror, don't know if that would make it better, maybe some users of this drm-crippled system could comment on that.
As you may know, I'm a happy KDE user and have been using Konqueror as my everyday browser for some time now. Recently, I discovered more and more pages I couldn't use any more. I had to start this thing called Firefox. I don't like it, but that is not the point here.
I even noticed today that ebay has a new interface that konqueror doens't like.
This is a result of the more and more upcoming AJAX/JavaScript-stuff, which is often nice, I saw a lot of well designed web applications lately (ok, I saw a lot of crap, too). I'm not enough into JavaScript to know if it's the lack of support by Konqueror or the pages. I just hope that people will come together and find solutions for that. I remember that there was some discussion about using webcore (the khtml-fork used by apples safari) for konqueror, don't know if that would make it better, maybe some users of this drm-crippled system could comment on that.
Posted by Hanno Böck
in Code, English, Gentoo, Linux, Webdesign
at
00:42
| Comments (9)
| Trackbacks (0)
(Page 1 of 1, totaling 3 entries)