Iptables redirect HTTP traffic to proxy

httpiptablesPROXYredirect

I have a local HTTP proxy running, if I configure my browser to go through it works perfectly but I would need to leave the browser configuration blank and only redirect the traffic to the proxy with iptables (or any other mechanism).

I tried these rules (separately) without succeeding (proxy returns 400 bad request error):

iptables -t nat -A OUTPUT -p tcp -o lo -d 127.0.0.1 --dport 80 -j DNAT --to 127.0.0.1:8082

iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8082

Is it even possible to use an HTTP proxy with only iptables ? Or does the HTTP request has to be rewritten as well ?

Thanks in advance for your help

Best Answer

This is called "transparent proxy". You need two things to do it:

Your proxy server should support it (transparent proxy). Squid is a well-known proxy server which supports transparent proxy mode.
Configure your firewall / router to redirect HTTP traffic to your proxy like the iptables rule you have.

Related Solutions

Iptables – Redirect OpenVPN gateway traffic to Privoxy

You can push proxy configuration to the OpenVPN clients.

From the OpenVPN Access Server web interface go to Advanced VPN Settings → Server Config Directives and enter the following directive with your proxy ip/port info.

push "dhcp-option PROXY_HTTP 111.222.333.44 8118"

I am not sure if all OpenVPN clients support this config. But on IOS it works well.

Linux – Forward HTTP Traffic to Another IP Address with iptables

There are three potential problems I see (contary to the other answer I don't see anything that would cause a "loop" even in the unedited version of your question).

IP forwarding must be enabled.
After being natted and placed back on the network the packet may fall victim to source address filtering as it looks very much like a spoofed packet.
Responses to packets that go through a NAT must go through the same NAT so the reverse translation can be performed. Otherwise the client will get a response with the wrong source IP/port which it is likely to drop (if it has not already been dropped by reverse path filtering).

You can work arround points 2 and 3 by using a SNAT or MASQURADE rule in addition to the DNAT but if you do that then you lose the original source IP of the traffic. That will make abuse control very difficult.

Another soloution to points 2 and 3 would be to set up a VPN between the two servers. Then use DNAT to forward traffic over the VPN and source IP based routing to bring the replies back to the NAT.

Best Answer

Related Solutions

Iptables – Redirect OpenVPN gateway traffic to Privoxy

Linux – Forward HTTP Traffic to Another IP Address with iptables

Related Topic