[rhn-users] transparent proxy plus ssl plus multihomed plus iptables HELP

Wed Aug 23 18:05:58 UTC 2006

I have a particular problem.

I have this

a) Server 1 RH 4.0 with a HP Proliant
1 Nic 200.78..x.2 as a External nic with Dedicated Connection to
Internet via E1(T1)
1 Nic 192.168.x.2 as a Internal nic for LAN

b) Cisco Pix 501 Firewall acting as a router conected to a MPLS Connection
1 Nic 192.168.x.8

c) The LAN 192.168.x.x with 50 users aprox. using Windows XP Professional

Actually i have a setup of transparent proxy with iptables via squid,
without problems.
i have this rules in iptables (81 is the port of my squid)

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT
--to-port 81
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

But i need to access some SSL webpages within the lan to another
office in another city, and this only can be done via the Cisco Pix
501 {see b) }.

I tried a rule of route:

/sbin/route add -net 140.85.x.0 netmask 255.255.252.0 gw 192.168.x.8

since the site i want to acess via PIX are in this ip family, but dont
work in the transparent proxy.

i added the squid proxy ip in the SSL section in browser of a station,
and works.

So i want to know how i can reroute some ip address that i cannot
reach via internet but only via PIX 501, and make that trasparent for
the users. I use DHCP, and i dont want to mess with manual
configurations per machines, since i have some laptops too.
I only have problems with SSL conections i want to resolve this.

i also tried this but dont work:
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 443 -j
REDIRECT --to-port 81

Please Help.