Discussion:
iptables Transparent Proxy Configuration
Neil Symons
2003-12-02 19:47:24 UTC
Permalink
I want to Transparently redirect port 80 on a router to a proxy server
and I have been guided to use the following lines.


iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp \
--dport 80 -j DNAT --to squid-box:3128

iptables -t nat -A POSTROUTING -o eth0 -s local-network \
-d squid-box -j SNAT --to iptables-box

iptables -A FORWARD -s local-network -d squid-box -i eth0 \
-o eth0 -p tcp --dport 3128 -j ACCEPT


These all work however two problems I have discovered.

1) When I connect to the Router's Own Web Port I get redirected to the
Proxy server which I don't want.

and

2) I want my proxy server to be able to connect to the real world by port
80 through the proxy server

Can someone guide me to what over rules I need to fulfill this and the
order it has to go in.

-- Neil
--
+----------------------------------------------------------+
Goldweb Internet - (02) 62530059 BH (0500) 528932 AH <
ICQ / UIN: 5255597 | http://www.goldweb.com.au/~neil/ <
+----------------------------------------------------------+
Neil Symons
2003-12-02 19:47:24 UTC
Permalink
Post by Neil Symons
I want to Transparently redirect port 80 on a router to a proxy server
and I have been guided to use the following lines.
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp \
--dport 80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network \
-d squid-box -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 \
-o eth0 -p tcp --dport 3128 -j ACCEPT
These all work however two problems I have discovered.
1) When I connect to the Router's Own Web Port I get redirected to the
Proxy server which I don't want.
and
2) I want my proxy server to be able to connect to the real world by port
80 through the proxy server
Correction, through the router.
Post by Neil Symons
Can someone guide me to what over rules I need to fulfill this and the
order it has to go in.
-- Neil
--
+----------------------------------------------------------+
Post by Neil Symons
Goldweb Internet - (02) 62530059 BH (0500) 528932 AH <
ICQ / UIN: 5255597 | http://www.goldweb.com.au/~neil/ <
+----------------------------------------------------------+
Martin Schwenke
2003-12-02 19:47:25 UTC
Permalink
Neil> I want to Transparently redirect port 80 on a router to a
Neil> proxy server and I have been guided to use the following
Neil> lines.
Neil>
Neil> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp \
Neil> --dport 80 -j DNAT --to squid-box:3128
Neil>
Neil> iptables -t nat -A POSTROUTING -o eth0 -s local-network \
Neil> -d squid-box -j SNAT --to iptables-box
Neil>
Neil> iptables -A FORWARD -s local-network -d squid-box -i eth0 \
Neil> -o eth0 -p tcp --dport 3128 -j ACCEPT
Neil>
Neil>
Neil> These all work however two problems I have discovered.
Neil>
Neil> 1) When I connect to the Router's Own Web Port I get
Neil> redirected to the Proxy server which I don't want.

This traffic is being caught by the first rule, since your connection
probably isn't coming from the squid box. Before that rule, you need
to put in an ACCEPT for http packets aimed at the router:

iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \
--dport 80 -j ACCEPT

Neil> 2) I want my proxy server to be able to connect to the real
Neil> world by port 80 through the [...] router.

This traffic isn't caught by any of the above rules? What else are
you doing? Do you have forwarding turned on?

peace & happiness,
martin
Alex Satrapa
2003-12-02 19:47:25 UTC
Permalink
Post by Neil Symons
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp \
--dport 80 -j DNAT --to squid-box:3128
I'm a bit new to IPTABLES, but I think I understand this one - redirect
http requests to the squid box.
Post by Neil Symons
iptables -t nat -A POSTROUTING -o eth0 -s local-network \
-d squid-box -j SNAT --to iptables-box
I'm not sure about this one - redirect network-incoming packets from the
local network destined for the squid box to got to the router instead?
Post by Neil Symons
iptables -A FORWARD -s local-network -d squid-box -i eth0 \
-o eth0 -p tcp --dport 3128 -j ACCEPT
Connections from clients directly to the squid box should be accepted.

What interfaces does the router have, which side are the clients on,
which side is the squid proxy on?
Post by Neil Symons
1) When I connect to the Router's Own Web Port I get redirected to the
Proxy server which I don't want.
iptables -t nat -I PREROUTING -i eth0 -d iptables-box -p tcp --dport 80
-j ACCEPT
Post by Neil Symons
2) I want my proxy server to be able to connect to the real world by
port
80 through the proxy server
The rules you have in place should allow that. Make sure squid is
configured to only make out-bound connections from the squid-box
interface. In your squid.conf, you'll need a line something like:

tcp_outgoing_address squid-box.local-network

where 'tcp_outgoing_address' is the squid configuration option, and
'squid-box.local-network' is the IP address of the interface mentioned
in the IPTABLES rules.

Of course, if your squid box only has one IP address, I'm totally off
the mark ;)

To make sure your squid server is able to access external web sites,
connect to it from the localhost - that way you won't have any routing
issues to muddle things up.

AFAIK, this kind of transparent proxy will only work for HTTP/1.1, since
HTTP/1.0 clients will simply ask for a resource as "GET / HTTP/1.0",
with no "Host:" header.

Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 225 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20020726/e4ccfe69/attachment.bin
Continue reading on narkive:
Loading...