Iptables – Transparent Proxy with Squid / iptables

I'm trying to force one PC to use a remote transparent squid proxy by re-routing all outgoing packets headed for port 80 to the squid proxy, although I'm having some difficulty with the exact iptables command line.

The mini-HOWTO at http://tldp.org/HOWTO/TransparentProxy-6.html has some good links for the two "extreme" cases: a three (or more) machine setup which has a client, router, and proxy, and a single machine setup where all three on the same machine.

In my setup, I have a machine (called foo), with an IP of 192.168.1.100. Normally, it connects to the internet through a router at 192.168.1.1, which does NAT and has a public IP. In this case, foo also is connected via an OpenVPN tunnel (foo's tunnel address is 10.8.0.5/6) to a machine called bar (remote address 10.8.0.1), which runs squid. I want to use iptables to route all outgoing packets from foo headed for port 80 to bar's squid proxy, on port 3128.

I haven't been able to figure out which chain and which targets to use; all my attempts have either been illegal (-A OUTPUT without -t nat and –to-destination) or just not done any good (various combinations of -A PREROUTING, OUTPUT, POSTROUTING, etc).

EDIT:
The closest I think I got was this:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 10.8.0.1:3128

Now, no port 80 traffic gets anywhere, but at least it's getting processed. Using -A PREROUTING fails… maybe because the packets originate locally instead of being routed through the machine?

Best Answer

If I understand you correctly, what you want to do isn't going to be handled simply by configuring iptables. The REDIR target can only be used to target processes running on the local system. I believe attempting to use a DNAT target to forward the to the remote squid box would remove some of the information the remote squid box needs to properly handle the request

If you allow me to guess a bit. I think you are trying to leave the default gateway as 192.168.1.1 on your host and then send your port 80 traffic across the vpn right?

The remote squid needs some configuration so that it can actually act as a transparent proxy. If you can setup the correct iptables redirection on the squid host, and the remote host is in the network path, then it is possible to do use some advanced routing to forward all port 80 requests across the vpn.

P.S. If I am understanding your needs correctly add a comment, I can update my answer with more details about how to setup routing.

Best Answer

Related Solutions

Squid – HTTPS Not Working in Transparent Proxy

Iptables – By passing squid for few hosts using iptables

Related Topic