Traffic redirection question

Forum: LXer Meta ForumTotal Replies: 5
Author Content

Nov 25, 2009
9:34 PM EDT
This is probably a simple question for those of you more experienced in traffic direction and protocols than I am. :P

Due to an...adventure...with Comcast Monday that I won't go into in depth (let's just say I currently have a strong dislike for L1 techs working the Network Security line that aren't trained enough to understand a simple abuse complaint email....)...I've realized it's time to lock down the church/school firewall.

That of course was easy enough (I'm using gentoo with Shorewall).

There's one thing I'd like to do, but I'm not sure if the protocols, etc. allow it: We have Dansguardian running as a filter on the firewall. Normal http request are transparently proxied through it if the machine isn't already configured to use the proxy. The problem, of course, is SSL, which can't be transparently proxied. So currently I have access to SSL open (since it's kinda needed for lots of things).

What I'm wondering is, can I have requests to port 443 that are not going through the proxy redirect to a locally running httpd that would just display a message telling them they need to configure their browser to use the proxy (basically setup a redirect like is set for normal http, but it would be to a normal httpd rather than a proxy)?

That way I could lock down SSL as well so we wouldn't have to worry about someone finding an SSL proxy and completely bypassing the filters. And I wouldn't have to worry about getting all sorts of "I can't get to hotmail/gmail/etc" complaints and having to figure out if they are using the proxy or not if I locked it down without an informative message. :P


Nov 26, 2009
4:32 AM EDT
Sure it's possible. Using plain ipfilters it shouldn't be hard to route all port 443 traffic to a destination of your choice. But I have no idea how to set that up in Shorewall.

Jul 31, 2011
5:44 PM EDT
Talk about resurrecting old threads...I guess the spambots were having fun in the archives again? But since this thread is up, I did actually take a crack at this idea and tried redirecting https to another server. The problem was that the connection stayed https (logical) when redirected, causing the browser to go into "warning warning someone is h4x0ring you!" mode.

Jul 31, 2011
6:36 PM EDT
An inadvertant man-in-the-middle attack. I love it!

Jul 31, 2011
7:14 PM EDT
Basically yeah.

So to have this actually work, you'd have to do a redirect and somehow force it out of https mode (maybe redirect to an apache instance without ssl enabled? hmm).

Jun 07, 2012
10:31 AM EDT
Answer incoming customer calls and provide technical assistance to activate service. Provide technical assistance during coordinated customer maintenance window to upgrade, downgrade, or implement complex routing changes cisco firewall router.

Posting in this forum is limited to members of the group: [Editors, MEMBERS, SITEADMINS.]

Becoming a member of LXer is easy and free. Join Us!