How to do iptables routing in XG Firewall?

You could simply use V18 Policy Based Routing, this will route everything towards your Squid. 

Doing stuff on Iptables will likely be overwritten by the core system and hence not the preferred way. 

Hi LuCar Toni,

Thanks for the reply. I found https://community.sophos.com/kb/en-us/123579 and will give it a try.

Following the KB article I created the specific Gateway for Squid:

Then created a new SD-WAN policy routing:

But I don't see any traffic going through Squid and I'm also unable to access the internet. I do see the following entry in the Log Viewer:

messageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="N/A" nat_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="" in_display_interface="" out_interface="" out_display_interface="" src_mac="" dst_mac="" src_ip="10.10.10.3" src_country="" dst_ip="172.217.0.35" dst_country="USA" protocol="TCP" src_port="56161" dst_port="80" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Could not associate packet to any connection." appresolvedby="Signature" app_is_cloud="0" 

It's worth mentioning that I do have a LAN to WAN firewall allow rule and everything works when the SD-WAN policy is turned off.

I feel that I'm close but I still need your help, as I can't figure out how to make it work.

Thanks in advance.

Is it really not possible to have these two simple routing rules setup in XG Firewall?

1) Redirect all TCP traffic from port 80 to x.x.x.x:3128
2) Redirect all TCP traffic from port 443 to x.x.x.x:3129

Should be by a Simple NAT rule? But do you want to force a client to use a Proxy? 

LuCar Toni said:

Should be by a Simple NAT rule? But do you want to force a client to use a Proxy? 

 

Thanks LuCar Toni, can you describe how one would do this simple NAT? Your previous suggestion of "simply use V18 Policy Based Routing" didn't really work and I didn't get any follow up from you on that recommendation.

Thanks in advance.

I am not quite sure, what you try to archive. Do you want to force the Client to communicate to a parent proxy? 

As your log indicates, the Traffic will be dropped as the Client closes the connection for what ever reason. 

So maybe your goal is not doable at all? I mean the Client to force to communicate to a proxy by simple rerouting the traffic is not possible.

Client expect to talk to a specific hostname / certificate after all. If the client gets a proxy after rerouting the traffic, properly this will be closed by the client. 

LuCar Toni said:

I am not quite sure, what you try to archive. Do you want to force the Client to communicate to a parent proxy? 

 

As your log indicates, the Traffic will be dropped as the Client closes the connection for what ever reason. 

 

So maybe your goal is not doable at all? I mean the Client to force to communicate to a proxy by simple rerouting the traffic is not possible.

 

Client expect to talk to a specific hostname / certificate after all. If the client gets a proxy after rerouting the traffic, properly this will be closed by the client. 

 

Thanks for the reply but your answer is actually not correct regarding how proxies work.

A transparent proxy intercepts and answers the requests of the browser, so the browser receives the requested pages without knowing where they are coming from. As the name indicates, the entire process is transparent to the end user.

Why would someone chose to implement a transparent proxy you may ask? It could be for caching content for all users on the network; it could be for enforcing that all egress traffic goes over a minimum TLS version; it could be used in businesses to enforce acceptable use policy, etc. Yes, I'm aware that many of these aspects are already supported by XG Firewal through TLS inspection, Web Policies, etc.

If we leave the caching aspect out of this question for a second, is XG Firewall unable to perform simple traffic routing as I listed previously? As a matter of fact, this simple routing is actually doable at nearly every Linux-based OS by using something like iptables or firewalld for example, which I have used quite successfully in the past.

In addition, through NAT/DNAT as it currently stands in XG, there isn't a way to specify the destination port/s of the host, and if that was configurable, I believe this should solve the problem. Perhaps it's a bug/feature request?

H,

if you want to use the XG proxy by forcing everything through by setting up proxy.pac file to change the browser default port to 3128 (or something else which you can change on the XG) or just use a firewall rule with HTTP/S and tick the proxy box and no other ports.

Ian

So you need a SD-WAN Rule, to Route the traffic to the Interface, if needed.

You need a NAT to translate the Traffic to the destination and change the Port.

You need a Firewall Rule to allow the translation.

Afterwards you need to verify via tcpdump, that your Traffic will be translated and use the correct interface.

You could verify this via conntrack as well. 

PS: All matters of request can a XG archive in terms of Web Caching. There would be no need to use a old Proxy technology. 

The Internet is moving to TLS1.3. 

About Caching:

https://www.senki.org/transparent-web-caching-dead/

This is kinda old but still true, talking about TLS1.3 etc.