# forwarding port 80 to 8080 on local machine [SOLVED]

## mikegpitt

Edit:

Original title: forwarding one port to another via shorewall

Solution: As discussed below, it is impossible to forward http traffic in this manner on a machine with one ethernet card.  Instead the http_proxy var must be used.

Original post:

I'm having a very hard time trying to get shorewall to forward port 80 traffic to port 8080 on the local machine.  

The whole setup is that I want to forward all web traffic to port 8080 (which is running dansguardian).  This traffic is automatically forwarded to squid (port 3128), and goes out to the internet.

With shorewall off, things work perfect when setting firefox to use the proxy 127.0.0.1:8080, however when trying to get this to work via shorewall all traffic seems to get rejected.

Here are my config files (note machine has only 1 ethernet card, eth1):

/etc/shorewall/interfaces:

```
net     eth1            detect          dhcp,nosmurfs
```

/etc/shorewall/zones:

```
fw      firewall

net     ipv4
```

/etc/shorewall/policy:

```
fw              net             ACCEPT

net             all             DROP            info

all             all             REJECT          info
```

/etc/shorewall/rules:

```

REDIRECT  net           8080            tcp      www

ACCEPT    fw            net             tcp      www
```

A few wierd things:

1) When I take the line "fw   net   ACCEPT" out of my policy, all internet goes down, even though I have the line  "ACCEPT    fw            net             tcp      www" in my rules.  Why would this be?

2) In the shorewall docs, it does the REDIRECT in the rules file, not though net, but through loc.  What is loc?  It seems like some configurations that have it also have more than 1 network card, which obviously won't help in my case.

Can anyone help?Last edited by mikegpitt on Tue Feb 06, 2007 7:36 pm; edited 2 times in total

----------

## Fukai

for loc add this to /etc/shorewall/interfaces

```
loc lo -
```

and this to zones

```
loc ipv4
```

And you can use this to redirect in rules

```
REDIRECT        loc      80         tcp     8080    -
```

This do a 8080->80 redirect from the traffic comming from loopback interface.

EDIT uhh look you need a 80->8080 redirect so change the args in REDIRECT

----------

## mikegpitt

Still no luck.

I added this to interfaces:

```
loc lo -
```

I added this to zones:

```
loc ipv4
```

I also tried just this:

```
loc -
```

I tried both these lines in rules:

```
REDIRECT        loc      80         tcp     8080    -
```

and...

```
REDIRECT        loc      8080         tcp     80    -
```

I believe the second one is what I want (redirect port 80 traffic to 8080).

I messed with various combinations and the traffic doesn't appear to be forwarding.

BTW - Question #1 from my first post seems to have sorted itself out.

----------

## Fukai

When you say it is rejected something appears in shorewall log?

----------

## mikegpitt

 *Fukai wrote:*   

> When you say it is rejected something appears in shorewall log?

 

It is wierd.  When I have this line in my policy:

```
fw              net             ACCEPT
```

Nothing is rejected, but it the traffic going to port 80 doesn't seem to be redirected either.

When I take that line out, then I receive things like this in my log:

```
Feb  5 12:51:28 localhost Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.107 DST=151.197.0.38 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62040 DF PROTO=UDP SPT=32771 DPT=53 LEN=40
```

Now... this somewhat makes sense to be, because I guess by default everything is being blocked.  What doesn't make sense is that when I add this line in my rules, things are still blocked.

```
ACCEPT    fw            net             tcp      www
```

I'm really stuck with all this.  I have tried MANY different combinations of rules and either no redirection happens, or I have no internet.

----------

## mikegpitt

Well, after reading some shorewall docs, I'm thinking that maybe I don't want need the loc zone.  Apparently loc is for machines that have 2 network interfaces, and have an internal nework zone (like a LAN) and an external zone, in front  of the firewall, ie. the internet.

I still can't get the REDIRECT rules to work.  It seems that it is trying to append this to the iptables chain:

```
/sbin/iptables -t nat -A net_dnat -p tcp -d 127.0.0.1/24 --dport 80 -j REDIRECT --to-port 8080
```

That rules seems to make sense, so I suppose elsewhere in my config something is preventing the machine from forwarding.

BTW - This is my current policy:

```
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

$FW             net             ACCEPT

net             $FW             DROP            info

net             all             DROP            info

# The FOLLOWING POLICY MUST BE LAST

all             all             REJECT          info

```

----------

## jpl888

Ok so am I right in thinking you have just one machine (which is the firewall) that you want to transparent proxy for?

If so that will never work. When you tell Shorewall to redirect port 80 to 8080 the traffic will just go into a vicious loop and never actually go anywhere. 

I will illustrate my point.

Traffic comes in from firewall on port 80, gets redirected to port 8080, which is Dansguardian. Dansguardian does it's thang and passes the traffic onto squid on port 3128. Squid does it's thang and tries to actually request the web page on port 80 from the firewall. 

Hence the traffic goes back into the REDIRECT chain and does the whole thing over and over again.

Get it?

Your only options are to either go direct OR tell your machine about the proxy via the "http_proxy" and "ftp_proxy" environment variables.

----------

## mikegpitt

Ok, now it's starting to make more sense... I feel like an idiot for wasting so much time on the firewall conf.  Live and learn.

Now onto http_proxy.

As suggested by this guide: http://gentoo-wiki.com/Http_proxy  I created the file /etc/env.d/99local put in the http_proxy var and ran an env-update && source /etc/profile.

```
# echo $http_proxy

http://127.0.0.1:8080
```

The only problem is that it doesn't work!  I am trying this via the links text browser since I'm not in front of the machine at the moment.

EDIT: This may be a links specific problem.  I found this on the net:

```
Warning: links is a notable exception here. It does not honor the http_proxy environment variable! However, you can add http_proxy 127.0.0.1:8118 to your /etc/links.cfg and/or to your ~/.links/links.cfg. Or go to Setup -> Network Options and do the same there. Or use the -http-proxy 127.0.0.1:8118 command line option.
```

EDIT2:  I was able to verify with wget.  It works! Now hopefully it works with freifox as well when I get in front of the machine.

----------

## michael105

Hi, 

finally I found out how to enable transparent proxying with shorewall and squid at the same machine..

I'm not sure, however, if the solution is secure.

1. Create a tap interface with the address, e.g., 192.168.1.2

2. Order squid to use this address for all outgoing traffic:

in squid.conf:

tcp_outgoing_address 192.168.1.2

3. Use the normal REDIRECT rule in rules:

REDIRECT fw	3128	tcp	www - 

4. After starting shorewall, insert a rule into the nat table:

iptables -t nat -I OUTPUT 1 -p tcp -s 192.168.1.2 -j ACCEPT

UPDATE: 

Discard point 4 - instead put the command below into the file /etc/shorewall/started

/sbin/iptables -t nat -I OUTPUT 1 -p tcp -s 192.168.1.2 -j ACCEPT

Michael

----------

