I have an OpenVPN Access Server (v2.0.3) which I use to provide remote access to a dozen or so users, as well as a small site-to-site connection with a pfSense gateway.
I am currently pushing a proxy config for the proxy server running on the same system as OpenVPN-AS (push "dhcp-option PROXY_HTTP 10.153.19.1 8080") to clients but I have noticed that not all the directly connected clients use it, and obviously, the clients behind the pfSense gateway do not since that config option never makes it to them.
How can I use iptables to force all requests to port 80 to instead hit this proxy server?
Best Answer
Just changing the destination of regular http requests so that they go to a plain http proxy will not work, the requests are not on the form that a regular proxy accepts.
What you need is a transparent proxy (aka intercepting proxy) in addition to the rules needed to intercept the actual packets. The specific rules will depend on what mode of operation the transparent proxy has, it's possible to intercept the packets with a simple DNAT rule but netfilter also has a more sophisticated TPROXY facility that allows for fully transparent mode.
You did not specify what proxy software you are using but http://wiki.squid-cache.org/SquidFaq/InterceptionProxy has an overview for Squid in this kind of setup.
Some specific config examples: