Iptables – Unable to redirect HTTP traffic to transparent proxy (Squid)

iptablesPROXYroutersquidtransparent-proxy

I'm trying to create a transparent proxy to cache and blacklist traffic on my self-made Linux router. Problem is that all clients are getting timed-out when trying to reach any HTTP sites (HTTPS works).

Here is my setup:

System: Ubuntu 16.04

Proxy: Squid 3.5.12

iptables:
  – Relevant rule:
   -A PREROUTING -i wlx30b5c21224f3 -p tcp --dport 80 -j REDIRECT --to-port 9999
  – Entire ruleset:
    https://pastebin.com/HtzTmYMp

Squid:
  – Relevant rules:
   http_port 192.168.99.1:8888
   http_port 192.168.99.1:9999 intercept
  – Entire config:
    https://pastebin.com/Ft2f3uaD

Interfaces:
  – Internet – enp1s0 (ethernet)
  – Local network – wlx30b5c21224f3 (wireless)

Network:
  – Network address – 192.168.99.0/24
  – Gateway, DNS, Squid – 192.168.99.1

Squid logs:
  – Access.log – empty
  – Cache.log – https://pastebin.com/AQ6VFdNP

I can tell that squid is working and listening on assigned ports by looking at active processes.
Result of netstat -tulpn | grep squid:

tcp 0 0 192.168.99.1:9999 0.0.0.0:* LISTEN 2604/(squid-1)
tcp 0 0 192.168.99.1:8888 0.0.0.0:* LISTEN 2604/(squid-1)
udp 0 0 0.0.0.0:35057 0.0.0.0:* 2604/(squid-1)
udp6 0 0 :::50319 :::* 2604/(squid-1)

I can also tell that iptables rule redirects traffic from port 80 to 9999 by watching traffic while trying to connect to HTTP site on one of the clients.
Result of watch 'iptables -t nat -L -n -v': https://pastebin.com/wdRjnBDa

Amount of bytes going through iptables rule keeps increasing as I try to reach the site – yet still client times out.

So my theory is that iptables is redirecting traffic properly and squid is listening on proper ports, yet there is something I'm missing that is preventing traffic from ever reaching Squid. (Since Squid logs are more or less empty)

I've tried a bunch of different iptables rules I found in various Squid guides online – most of them yeld the same result as above.
I've also tried a bunch of different ports in Squid, and I've tried to remove ip address from http_port 192.168.99.1:9999 – but that caused squid to listen on ipv6 only (And I'm not sure how that affects iptables rerouting).

PS. This is my firs networking project, so I might be missing something oblivious here.

Best Answer

Make sure you open/have another http_port for the reverse proxy:

The reason the SSL works is because it is not going through squid. in this example you can intercept that as well (first line is what you need):

http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
 cert=/etc/squid/certs/squidCA.pem \
 generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

iptable:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 3128

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0
Related Topic