IPTables configuration for Transparent Proxy [closed]

Asked 15/5, 2012 at 6:53 Answered 7/5 at 19:45

I am confuse why my IPTable does not work in Router. what I'm trying to do is redirect any packets from source ip destined to port 80 and 443 to 192.168.1.110:3128. however when I tried this:

 iptables -t nat -A PREROUTING -s 192.168.1.5 -p tcp --dport 80:443 -j DNAT --to-destination 192.168.1.110:3128

does not work. however when I add this,

iptables -t nat -A POSTROUTING-j MASQUARADE

it works. but the problem with masquarade is I do not get the real ip but instead the ip of the router. I need to get the source ip so my proxy server could record all ip connected to it. can some one tell me how to make it work without making POSTROUTING jump to Masquarade?

Storebought answered 15/5, 2012 at 6:53 Comment(3)

as long is it is NAT you'll need masquerading – Laniferous 15/5, 2012 at 6:58

is there other way I could retain its original ip so once it reach my proxy server I get its real ip rather than the ip of my router? – Storebought 15/5, 2012 at 7:2

I guess your problem is that proxy cannot reply to your machine, because it have no route to it. Try adding route for one address (on proxy server, to client), with your router as a gateway. NAT requires much less attention, maybe you need some other way to authenticate your clients. – Laniferous 15/5, 2012 at 7:53

For real transparent proxying you need to use the TPROXY target (in the mangle table, PREROUTING chain). All other iptables-mechanisms like any NAT, MASQUERADE, REDIRECT rewrite the IP addresses of the packet, which makes it impossible to find out where the packet originally was intended to.

The proxy program has to bind() and listen() on a socket like any other server, but needs some specific socket flags (which requires some Linux capabilities (type of permission) or root). – Once connected, there is some way to get the “intended server” from the OS.

Sorry, I’m a little lazy about the details, but searching for “TPROXY” as keyword will get you going quickly!

Gynous answered 25/11, 2014 at 0:45 Comment(4)

Yes and no. HTTP/1.1 clients will send the server name in the Host header and many HTTPS clients support SNI. This makes NAT good enough for some usecase. – Taxiplane 11/10, 2015 at 1:45

@Alex "Yes" to what and "no" to what? – Gynous 14/10, 2019 at 11:28

Sorry for being vague. Yes, you're correct that the destination address is not easily made available to the server process. That said, for HTTP & HTTPS the protocol iteself contains the server host name which may be good enough. – Taxiplane 15/10, 2019 at 16:34

@AlexJasmin I just couldn’t stand that this question about transparent proxies had no answer talking about real transparent proxying! The rest are crutches. – Gynous 15/10, 2019 at 16:55

If I am not wrong, the correct syntax of the rule would be:

iptables -t nat -A PREROUTING -s 192.168.1.5 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.1.110:3128

--dport 80:443 will forward all ports from 80 to 443
--dports 80,443 will forward port 80 and 443 only.

If you want traffic hitting 192.168.1.5 on port 80 and 443 to be forwarded to 192.168.1.110's 3128 port then you should use the below rule:

iptables -t nat -A PREROUTING -d 192.168.1.5 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.1.110:3128

You should also make sure the gateway on 192.168.1.110 is pointed to your router ip.

Finally you can use the masquerade rule as below.

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE

eth1 should be your outgoing interface.

Weldonwelfare answered 28/9, 2012 at 12:57 Comment(2)

what if proxy requires authentication? – Parrisch 16/5, 2014 at 15:26

Don't forget to enable IP forwarding (this took me way too long): sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward – Clarineclarinet 29/5, 2019 at 14:38

I had the same issue and the solution was to tell the transparent proxy to forward the source ip in the right header fields. In case of my nginx proxy the rules were close to:

location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://name_of_proxy;
    proxy_redirect off;
}

Polak answered 22/1, 2015 at 15:39 Comment(0)

i used the iptables -t nat -A PREROUTING -p tcp -s foreign ip to your device --dport 80:443 -j DNAT --to-destination your application or local ip:port.i think you did the prerouting the packet in your device out which never connect to port 80 or 443,these is for web server connect to device.192.168.1.5 is like my local address.

and remember to configecho 1 > /proc/sys/net/ipv4/ip_forward

Zita answered 31/8, 2016 at 22:27 Comment(0)

I think you are doing NAT in both directions by not specifying an interface. Try adding -o eth0 to your -j MASQUERADE line. (Substitute whatever your "external" interface is, instead of eth0, depending on your setup.)

Rheumatism answered 16/6, 2012 at 12:0 Comment(0)

I will add to the Robert's post. For this to work you'll have to modify the proxy to enable (SOL_IP, IP_TRANSPARENT) for the listening socket.

Leu answered 7/5 at 19:45 Comment(0)

Recommended topics

Hot tags