I have a local transparent proxy, but my problem is that packets, when re-routed, have the router IP and not the user. These are the rules that I currently have in place:
iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.1.231 -p tcp -m multiport --dport 80 -j DNAT --to 192.168.1.231:3128
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/16 -d 192.168.1.231 -j SNAT --to 192.168.1.1
iptables -A FORWARD -s 192.168.0.0/16 -d 192.168.1.231 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
iptables -I FORWARD -i eth0 -p tcp -m multiport --dport 80 -j DROP
- 192.168.1.231 = proxy server (squid) + DNS server
- 192.168.1.1 = iptable/router (centOs)
Everything seems working, but the IP in the proxy LOG is always 192.168.1.1
instead of possibly 192.168.1.46
or 192.168.4.25
this is important for me because I have different squid rules for 192.168.4.XX
(DHCP) vs 192.168.1.XX
or 192.168.2.XX
and it would really help me also with finding who is miss-using the internet.
Best Answer
with this method you can avoid NAT packet alterations.
at iptables box
at squid box
see here for more details http://www.tldp.org/HOWTO/TransparentProxy-6.html