iptables Transparent Proxy Configuration

Martin Schwenke martin at meltin.net
Fri Jul 26 11:28:30 EST 2002

>>>>> "Neil" == Neil Symons <neil at goldweb.com.au> writes:

    Neil> I want to Transparently redirect port 80 on a router to a
    Neil> proxy server and I have been guided to use the following
    Neil> lines.
    Neil> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp \
    Neil> --dport 80 -j DNAT --to squid-box:3128 
    Neil> iptables -t nat -A POSTROUTING -o eth0 -s local-network \
    Neil> -d squid-box -j SNAT --to iptables-box 
    Neil> iptables -A FORWARD -s local-network -d squid-box -i eth0 \
    Neil> -o eth0 -p tcp --dport 3128 -j ACCEPT 
    Neil> These all work however two problems I have discovered.
    Neil> 1) When I connect to the Router's Own Web Port I get
    Neil>    redirected to the Proxy server which I don't want.

This traffic is being caught by the first rule, since your connection
probably isn't coming from the squid box.  Before that rule, you need
to put in an ACCEPT for http packets aimed at the router:

  iptables -t nat -A PREROUTING -i eth0 -d iptables-box -p tcp \
    --dport 80 -j ACCEPT

    Neil> 2) I want my proxy server to be able to connect to the real
    Neil>    world by port 80 through the [...] router.

This traffic isn't caught by any of the above rules?  What else are
you doing?  Do you have forwarding turned on?

peace & happiness,

More information about the linux mailing list