Iptables rules for transparent proxy, and no proxy

iptablestransparent-proxy

Hi I'm using redsocks and iptables port redirection rules to set a transparent proxy, and works fine, but I need to establish iptables rules for non proxy access, to domains, domain1.com and domain2.com, and 10.0.0.0/8
Here is my actual redirection rules.

iptables -t nat -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:5123
iptables -t nat -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 127.0.0.1:5124

where ports 5123 and 5124 are the ports for redsocks

Its posible to bypass the port redirection for the desired domains and ips??

Best Answer

You can define a ACCEPT rule before your DNAT rule. As usual in iptables, the first matched rule will be applied and no more (can have exception like LOG). So define a rule with -j ACCEPT for your internal networks before a rule with -j DNAT like you propose.

The source IP can be defined in -s 10.0.0.0/8 and a name can be used, but it will be translated in IP. The IP will not be refreshed. Remember that the DNS must be available if you use the name of the host !

iptables -t nat -A OUTPUT -o eth0 -s 10.0.0.0/8 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -t nat -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:5123
iptables -t nat -A OUTPUT -o eth0 -s 10.0.0.0/8 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -t nat -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 127.0.0.1:5124

Related Solutions

Linux – DNAT to 127.0.0.1 with iptables / Destination access control for transparent SOCKS proxy

You cannot do this trick with 127/8 network as it is treaded specially inside linux kernel. But you can create dummy network interface, assign ip address to it, bind your service to this address and do NAT.

root@vm8583:~# ip link add bogus type dummy
root@vm8583:~# sysctl net.ipv4.conf.eth0.arp_ignore=3
root@vm8583:~# ip addr add 10.0.0.1/32 bogus scope host
root@vm8583:~# ip link set bogus up
root@vm8583:~# ip link show bogus
4: bogus: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT 
    link/ether 5e:8b:38:f3:46:ce brd ff:ff:ff:ff:ff:ff

Note, you may need to set net.ipv4.conf.eth0.arp_ignore=3 so your server won't answer to ARP requests for 10.0.0.1 incoming via eth0:

arp_ignore - INTEGER
    Define different modes for sending replies in response to
    received ARP requests that resolve local target IP addresses:
. . .
    3 - do not reply for local addresses configured with scope host,
    only resolutions for global and link addresses are replied
    4-7 - reserved

Linux – Forward HTTP Traffic to Another IP Address with iptables

There are three potential problems I see (contary to the other answer I don't see anything that would cause a "loop" even in the unedited version of your question).

IP forwarding must be enabled.
After being natted and placed back on the network the packet may fall victim to source address filtering as it looks very much like a spoofed packet.
Responses to packets that go through a NAT must go through the same NAT so the reverse translation can be performed. Otherwise the client will get a response with the wrong source IP/port which it is likely to drop (if it has not already been dropped by reverse path filtering).

You can work arround points 2 and 3 by using a SNAT or MASQURADE rule in addition to the DNAT but if you do that then you lose the original source IP of the traffic. That will make abuse control very difficult.

Another soloution to points 2 and 3 would be to set up a VPN between the two servers. Then use DNAT to forward traffic over the VPN and source IP based routing to bring the replies back to the NAT.

Best Answer

Related Solutions

Linux – DNAT to 127.0.0.1 with iptables / Destination access control for transparent SOCKS proxy

Linux – Forward HTTP Traffic to Another IP Address with iptables

Related Topic