Ubuntu – Iptables rule for squid transparent proxy block http requests

iptablessquidUbuntu

I have some iptables rules in a linux gateway (ubuntu server 12.04) and all works good. I configured a transparent squid proxy and works too. I'm using this rule.

$IPT -t nat -A PREROUTING -p tcp --destination-port 80 \
-j REDIRECT --to-ports 3128

But I must use this server for web development testing and demos, and is rejecting all http requests from internet (eht0). I can access without problems from local network (eth1).

When I comment the rule above. All works again. Why this rule is blocking the http requests from wan network?

Best Answer

Actually, this rule is not blocking http traffic from Wan, but redirects this traffic to your Proxy.

In other words, your actual rule redirects both incoming and outgoing http traffic to your gateway on port 3128.

I would suggest to specify source/destination interfaces :

# Traffic from LAN to Internet is redirected to your Proxy
$IPT -t nat -A PREROUTING -p tcp -i eth1 -o eth0 --destination-port 80 -j REDIRECT --to-ports 3128

# Traffic from Internet is redirected to your gateway on port 80
$IPT -t nat -A PREROUTING -p tcp -i eth0 --destination-port 80 -j REDIRECT --to-ports 80

Related Solutions

Iptables – Transparent Proxy with Squid / iptables

If I understand you correctly, what you want to do isn't going to be handled simply by configuring iptables. The REDIR target can only be used to target processes running on the local system. I believe attempting to use a DNAT target to forward the to the remote squid box would remove some of the information the remote squid box needs to properly handle the request

If you allow me to guess a bit. I think you are trying to leave the default gateway as 192.168.1.1 on your host and then send your port 80 traffic across the vpn right?

The remote squid needs some configuration so that it can actually act as a transparent proxy. If you can setup the correct iptables redirection on the squid host, and the remote host is in the network path, then it is possible to do use some advanced routing to forward all port 80 requests across the vpn.

P.S. If I am understanding your needs correctly add a comment, I can update my answer with more details about how to setup routing.

Iptables – By passing squid for few hosts using iptables

You are not going to be able to achieve this unless you are using a transparent proxy - which you are not. With an explicitly configured proxy iptables would only be able to see the conversation between the the client host, and the squid proxy. That would make traffic manipulation impossible because iptables would have no idea what website/IP address you are trying to get to.

You can do it fairly easily the other way around with a transparent proxy however. That is to say have iptables redirect all www traffic to the proxy unless it meets certain criteria.

If using your proxy in transparent mode is an option for you then you can achieve your goal if you follow the guide below, but modify the prerouting stage in iptables to have exceptions just above the proxy redirect. Like so:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -s $PROXY_BYPASS_HOST -j RETURN
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port $SQUID-SERVER:$SQUID_PORT

SQUID/iptables transparent proxy howto

Best Answer

Related Solutions

Iptables – Transparent Proxy with Squid / iptables

Iptables – By passing squid for few hosts using iptables

Related Topic