How to use iptables in linux to forward http and https traffic to a transparent proxy [closed]

Asked 23/5, 2012 at 20:36 Answered 7/4, 2014 at 16:45

Solved linux firewall iptables gateway transparentproxy

I have a Ubuntu linux system acting as a gateway system with two interfaces on it. One interface is for the local network and one interface is for the internet. I am able to route traffic through it with no problem at all. I use two iptables rules to forward outbound traffic from the internal interface:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

I now need to create an iptables rule that filters out and redirects all tcp port 80 and 443 traffic leaving my network through the eth1 interface and send it to a proxy server that resides on a loopback interface on tcp port 9090.

I have been searching all over SO but I have not been able to find an example that works. Is there an efficient way to do this?

Latifundium answered 23/5, 2012 at 20:36 Comment(1)

Off-topic for SO; belongs on Server Fault – Pantin 24/5, 2012 at 4:9

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 9090

HTTPS cannot be used with a transparent proxy. There are some hacks, but it doesn't make any sense and is useless.

Ensure answered 23/5, 2012 at 21:9 Comment(6)

Hey diegows, I think that this rule would just change the port of the packet and not the packet's destination IP, wouldn't it? – Latifundium 24/5, 2012 at 0:27

REDIRECT target redirects the packet to the local machine, ALWAYS :) – Ensure 24/5, 2012 at 16:46

HTTPS transparent proxy: tectut.com/2015/08/… – Georas 24/5, 2017 at 21:43

Transparent proxies can utilise HTTPS, why do you think they cant? – Koh 1/6, 2018 at 11:5

@Koh because you are expecing to talk end-to-end encrypted. A proxy doesn't add any value there. As I said, there are some acks, but not recommended. – Ensure 13/9, 2018 at 17:55

A proxy adds the value of data leaving the network via the proxy, the only system in most cases that is allowed to talk outside of the network. The https traffic could also be inspected via the proxy if your mitming it. So of course there is value, it depends on what you are trying to achieve. – Koh 14/9, 2018 at 19:37

iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

Where:

squid-box : your squid server
local-network : your network (in my case is 192.168.0.0/24)
iptables-box : where your iptables software reside (usually the gateway, in my case 192.168.1.1)

The first one sends the packets to squid-box from iptables-box. The second makes sure that the reply gets sent back through iptables-box, instead of directly to the client (this is very important!). The last one makes sure the iptables-box will forward the appropriate packets to squid-box. It may not be needed. YMMV. Note that we specified '-i eth0' and then '-o eth0', which stands for input interface eth0 and output interface eth0. If your packets are entering and leaving on different interfaces, you will need to adjust the commands accordingly.

Add these commands to your appropriate startup scripts under /etc/rc.d/

FROM: http://www.tldp.org/HOWTO/TransparentProxy-6.html

Lauryn answered 7/4, 2014 at 16:45 Comment(1)

does --dport 80 means only port 80 to be forwarded? can I forward all ports via squid? – Keli 9/4, 2019 at 16:57

Recommended topics

Hot tags