Route traffic on a gateway through SSH tunnel

Adrian Chadd adrian at
Sun Apr 19 23:37:57 UTC 2009


2009/4/19 Steve Bertrand <steve at>:

> I have a Squid proxy/content filter at my office that I would like to
> route all 80/443 traffic from my home connection, through the proxy. The
> proxy and the termination point of my home connection are located in two
> different PoPs, within different ASs.

Eww. People still use Squid?

> My desire is to have this proxy-routing enabled within the network
> hardware, as to not need to set application layer details on the PC(s)
> at home.
> At this point, I have the FBSD (7.2) gateway device set up with an SSH
> tunnel. The local tunnel endpoint terminates on a LAN interface which
> utilizes 1918 space. It listens for traffic on, and
> forwards it to the proxyIP:8080. When I configure a workstation's
> Firefox to use as a proxy, everything works as expected.
> Now, I need to figure out a way so that the same setup will work, but
> with no proxy configured within Firefox.
> At this time, I'm recompiling the kernel on the gateway device to
> include IPFIREWALL_FORWARD. I'm going to try a fwd rule to pass all
> traffic destined to *:80 to, in hopes that the traffic
> will be first redirected to itself, and therefore through the SSH tunnel
> to the proxy.
> My past experience with this however, is that FBSD will complain that
> the dst IP doesn't reside on the box.
> Does anyone have any suggestions or comments they can share regarding
> such a setup?

Well, i'd first look at what you're doing with the "fwd" next-hop
rewriting. All ipfw fwd does is next-hop rewriting with an optional
redirect-to-local-socket-termination feature.

You need to redirect to a local squid or some other proxy which can do
the DNS lookups as required (if required!) and bounce the request

I'd suggest setting up Squid on your local CPE to handle the "ipfw fwd
any" redirection (and use http_port
transparent in squid.conf) and then configure squid with a parent
proxy (cache_peer, disable never_direct, etc) to talk exclusively to
your upstream proxy(ies).



More information about the freebsd-net mailing list