Centos – iptables with transparent proxy, how to pass the user IP

centosiptablessquidtransparent-proxy

I have a local transparent proxy, but my problem is that packets, when re-routed, have the router IP and not the user. These are the rules that I currently have in place:

iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.1.231 -p tcp -m multiport --dport 80 -j DNAT --to 192.168.1.231:3128
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/16 -d 192.168.1.231 -j SNAT --to 192.168.1.1
iptables -A FORWARD -s 192.168.0.0/16 -d 192.168.1.231 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
iptables -I FORWARD -i eth0 -p tcp -m multiport --dport 80 -j DROP

192.168.1.231 = proxy server (squid) + DNS server
192.168.1.1 = iptable/router (centOs)

Everything seems working, but the IP in the proxy LOG is always 192.168.1.1 instead of possibly 192.168.1.46 or 192.168.4.25

this is important for me because I have different squid rules for 192.168.4.XX (DHCP) vs 192.168.1.XX or 192.168.2.XX and it would really help me also with finding who is miss-using the internet.

Best Answer

with this method you can avoid NAT packet alterations.

at iptables box

iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s squid-box
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
ip rule add fwmark 3 table 2
ip route add default via squid-box dev eth1 table 2

at squid box

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

see here for more details http://www.tldp.org/HOWTO/TransparentProxy-6.html

Best Answer

Related Solutions

Iptables – Transparent Proxy with Squid / iptables

Transparent redirection to squid proxy server on the cloud

Related Topic