Iptables – What’s the difference between transparent proxy and explicit proxy

iptablestransparent-proxy

I've set up a transparent proxy with squid listening on 8080(http) 8443(https), and it works.

In addition, I set the iptables to redirect the request.

iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

If I set up an explicit proxy to replace squid, http still works, but https doesn't work (https proxy performs a MITM, and I trust the certificate).

I want to know the difference between using iptables REDIRECT and setting browser's proxy explicitly. Does the proxy process it somehow differently?

Best Answer

How proxies work

How a transparent proxy works

The browser thinks it is talking to the web server, and the proxy intercepts this traffic, and performs whatever tasks it needs to.

How an explicit proxy works

The browser knows it is talking to a proxy, and asks the proxy to load up the site that it wants to load instead.

Benefits of each type

Transparent

No need to configure on each client
Can be used by software that has no proxy settings

Explicit

More obvious that traffic is being monitored
Can work in places that a transparent proxy would break stuff
More likely to give useful error messages if the proxy fails

Related Solutions

Iptables – Transparent Proxy with Squid / iptables

If I understand you correctly, what you want to do isn't going to be handled simply by configuring iptables. The REDIR target can only be used to target processes running on the local system. I believe attempting to use a DNAT target to forward the to the remote squid box would remove some of the information the remote squid box needs to properly handle the request

If you allow me to guess a bit. I think you are trying to leave the default gateway as 192.168.1.1 on your host and then send your port 80 traffic across the vpn right?

The remote squid needs some configuration so that it can actually act as a transparent proxy. If you can setup the correct iptables redirection on the squid host, and the remote host is in the network path, then it is possible to do use some advanced routing to forward all port 80 requests across the vpn.

P.S. If I am understanding your needs correctly add a comment, I can update my answer with more details about how to setup routing.

Linux Port Forwarding to different IPs

Unless I am misunderstanding, why not simply map different target ports on the Linux Server to port 80 on the backend devices. For example:

Netbook --> 192.168.1.1:8080 (Linux Server) --> 192.168.0.2:80 (NAS)
Netbook --> 192.168.1.1:8081 (Linux Server) --> 192.168.0.1:80 (Router)

You already have the commands you need, you just need to set --dport to a different target port on the Linux Server, while specifying port 80 in --to-destination.