iptables Transparent Proxy Configuration

Alex Satrapa grail at goldweb.com.au
Fri Jul 26 11:40:34 EST 2002

On Friday, July 26, 2002, at 02:06 , Neil Symons wrote:

> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp \
> 	 --dport 80 -j DNAT --to squid-box:3128

I'm a bit new to IPTABLES, but I think I understand this one - redirect 
http requests to the squid box.

> iptables -t nat -A POSTROUTING -o eth0 -s local-network \
> 	 -d squid-box -j SNAT --to iptables-box

I'm not sure about this one - redirect network-incoming packets from the 
local network destined for the squid box to got to the router instead?

> iptables -A FORWARD -s local-network -d squid-box -i eth0 \
>     -o eth0 -p tcp --dport 3128 -j ACCEPT

Connections from clients directly to the squid box should be accepted.

What interfaces does the router have, which side are the clients on, 
which side is the squid proxy on?

> 1) When I connect to the Router's Own Web Port I get redirected to the
> Proxy server which I don't want.

iptables -t nat -I PREROUTING -i eth0 -d iptables-box -p tcp --dport 80 

> 2) I want my proxy server to be able to connect to the real world by 
> port
> 80 through the proxy server

The rules you have in place should allow that.  Make sure squid is 
configured to only make out-bound connections from the squid-box 
interface.  In your squid.conf, you'll need a line something like:

     tcp_outgoing_address squid-box.local-network

where 'tcp_outgoing_address' is the squid configuration option, and 
'squid-box.local-network' is the IP address of the interface mentioned 
in the IPTABLES rules.

Of course, if your squid box only has one IP address, I'm totally off 
the mark ;)

To make sure your squid server is able to access external web sites, 
connect to it from the localhost - that way you won't have any routing 
issues to muddle things up.

AFAIK, this kind of transparent proxy will only work for HTTP/1.1, since 
HTTP/1.0 clients will simply ask for a resource as "GET / HTTP/1.0", 
with no "Host:" header.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 225 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20020726/e4ccfe69/attachment.bin

More information about the linux mailing list