iptables transparent proxy

Fritz Bayer <fritz-bayer@web.de> wrote:
> Hi,
>
> I'm trying to do something very simple. I would like to forward all of
> my browsers requests to port 8888 on which a proxy server is
> listening.
>
> I have a hardware router (ADSL) on 192.168.1.1 and my linux machine
> (Debian/testing Kernel 2.6.5) has the ip 192.168.1.4.

How is your network structured? For transparent proxying to work ok,
your cache needs to be able to be in a position where it can intercept
all the traffic, or it needs to have all relevant traffic forwarded to
it. Since most ADSL routers don't have the ability to forward port 80 to
a different machine (such a thing is called a Level 4 switch), you would
likely need to configure your network in the following way.

<Internet> --- <ADSL Router> --- <Linux> --- <Internal network>

This means that you would need to set up your Linux box as a router,
and reconfigure your ADSL router and internal clients appropriately.

Alternatively, you could set your Linux box to act as a bridge instead
of a router, but that is an advanced topic, and I can't off the top of
my head, remember how to do that.

You'll probably find it easier just to configure your browsers to use
the proxy manually, particularly if you want to play with user proxy
authentication later on.

--
Cameron Kerr
cameron.kerr@paradise.net.nz : http://nzgeeks.org/cameron/
Empowered by Perl!

Hi,

I'm trying to do something very simple. I would like to forward all of
my browsers requests to port 8888 on which a proxy server is
listening.

I have a hardware router (ADSL) on 192.168.1.1 and my linux machine
(Debian/testing Kernel 2.6.5) has the ip 192.168.1.4.

I have read the mini howto, set up the kernel networking options and
enabled ip forwarding (echo "1">).

Then I added the following rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 8888

However, requests do not get redirected to port 8888. I have done this
years before using iptables, so I'm not a complete novice.

What am I doing wrong? I managed to log outgoing packages by adding a
LOG target to the OUTPUT chain:

Jun 11 14:00:59 debian kernel: IN= OUT=eth0 SRC=192.168.1.4
DST=216.239.51.147 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=38360 DF
PROTO=TCP SPT=33079 DPT=80 WINDOW=34320 RES=0x00 ACK URGP=0
....

However, I think the iptables command above should work? What am I
doing wrong, or what could be the solution?

Fritz Bayer wrote:

> Hi,
>
> I'm trying to do something very simple. I would like to forward all of
> my browsers requests to port 8888 on which a proxy server is
> listening.
>
> I have a hardware router (ADSL) on 192.168.1.1 and my linux machine
> (Debian/testing Kernel 2.6.5) has the ip 192.168.1.4.
>
> I have read the mini howto, set up the kernel networking options and
> enabled ip forwarding (echo "1">).
>
> Then I added the following rule:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 8888
>
> However, requests do not get redirected to port 8888. I have done this
> years before using iptables, so I'm not a complete novice.
>
> What am I doing wrong? I managed to log outgoing packages by adding a
> LOG target to the OUTPUT chain:
>
> Jun 11 14:00:59 debian kernel: IN= OUT=eth0 SRC=192.168.1.4
> DST=216.239.51.147 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=38360 DF
> PROTO=TCP SPT=33079 DPT=80 WINDOW=34320 RES=0x00 ACK URGP=0
> ...
>
> However, I think the iptables command above should work? What am I
> doing wrong, or what could be the solution?
Hi Fritz,

maybe you mixed up your interfaces:

the log shows
> Jun 11 14:00:59 debian kernel: IN= OUT=eth0 SRC=192.168.1.4

so the data goes out on eth0 but your rule says

> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 8888
you redirect traffic comming from eth0 not going out on eth0.

If iptables and the proxy are running on the same machine
your data flow should be

lo:80 -> redirect -> proxy -> eth0:8888 -> wire.


Your rule looks like

wire -> eth0:80 -> redirect -> proxy -> ...


Another possibility is to redirect all traffic going out eth0
so all local and forwarded traffic get's redirected.


-> eth0:80 -> redirect -> proxy -> eth0:8888 -> wire


Hope this helps.

Thanks for you replies. I read them and played around a little bit.
The rule which I wrote down works for all other pc's on my LAN besides
the Linux box on which the proxy runs.

And you are right, that I have to set this up on each PC. So I have to
set the gateway to the Linux Box, so that packets get routed throught
the linux box and are not sent directly to the router.

This makes me a bit happy. However, I would like the Browser Mozilla
on the Linux box to use the proxy. Now, I don't want to set it.

That's because I programmed it myself and it should be a transparent
proxy, which makes a differnce in the HTTP 1.1 Spec on how it has to
handle requests.

I also managed to insert a rule, which send packets leaving from the
local box to port 8888. The problem with this is, that the proxy also
opens a connection to port 80, thereby the first rule gets applied
again and I get stuck in an infinite loop.

Do you know which ruleset would do this? Forwarding requests
originating from the local machine to port 80 to port 8888. But NOT
forwarding those which are actually new requests from the proxy?

fritz-bayer@web.de (Fritz Bayer) wrote
news:a9c0aa9e.0406120007.3c9077b@posting.google.co m:
> I also managed to insert a rule, which send packets leaving from the
> local box to port 8888. The problem with this is, that the proxy also
> opens a connection to port 80, thereby the first rule gets applied
> again and I get stuck in an infinite loop.
>
> Do you know which ruleset would do this? Forwarding requests
> originating from the local machine to port 80 to port 8888. But NOT
> forwarding those which are actually new requests from the proxy?

I suggest you to try this :

- bind the proxy to a specific ip, not to the lo interface
- change your REDIRECT rule to a DNAT rule to forward port 80 from any ip
except the proxy bind to port 8888 on the proxy binded address

ex: bind the proxy to your internal ip 192.168.1.4

squit.conf:
port=192.168.1.4:8888
or tcp_incoming_address=192.168.1.4

iptables -t nat -A PREROUTING -s !192.168.0.4 -d 0.0.0.0/0 -p tcp --dport
80 -i eth0 -j DNAT --to-destination 192.168.0.10:8888

If this is not clear or fully functionnal, you may also add an ip alias
on the proxy box and bind the proxy to this alias ip.


Regards

Antoine EMERIT <reply_to_replay@daubededaube.nothing> wrote in message news:<XnF950678137B6BBantoineemerit@212.27.42.68>. ..
> fritz-bayer@web.de (Fritz Bayer) wrote
> news:a9c0aa9e.0406120007.3c9077b@posting.google.co m:
> > I also managed to insert a rule, which send packets leaving from the
> > local box to port 8888. The problem with this is, that the proxy also
> > opens a connection to port 80, thereby the first rule gets applied
> > again and I get stuck in an infinite loop.
> >
> > Do you know which ruleset would do this? Forwarding requests
> > originating from the local machine to port 80 to port 8888. But NOT
> > forwarding those which are actually new requests from the proxy?
>
> I suggest you to try this :
>
> - bind the proxy to a specific ip, not to the lo interface
> - change your REDIRECT rule to a DNAT rule to forward port 80 from any ip
> except the proxy bind to port 8888 on the proxy binded address
>
> ex: bind the proxy to your internal ip 192.168.1.4
>
> squit.conf:
> port=192.168.1.4:8888
> or tcp_incoming_address=192.168.1.4
>
> iptables -t nat -A PREROUTING -s !192.168.0.4 -d 0.0.0.0/0 -p tcp --dport
> 80 -i eth0 -j DNAT --to-destination 192.168.0.10:8888
>
> If this is not clear or fully functionnal, you may also add an ip alias
> on the proxy box and bind the proxy to this alias ip.
>
>
> Regards

But doesn't this mean: forward all new connections not comming from
192.168.0.4 with destination port 80 to port 8888 on 192.168.0.10 ?

But that's not what I want. I mean I want all connections with
destination port 80 from the box on which the proxy is running to be
forwarded to the local port 8888. And those orginating from the proxy
to be sent out to the world.

fritz-bayer@web.de (Fritz Bayer) wrote
news:a9c0aa9e.0406130107.1d02accb@posting.google.c om:
>> - bind the proxy to a specific ip, not to the lo interface

bind the proxy to an alias interface, not the default one (e.g.
192.168.1.10).

>> - change your REDIRECT rule to a DNAT rule to forward port 80 from
>> any ip except the proxy bind to port 8888 on the proxy binded address
>>
>> ex: bind the proxy to your internal ip 192.168.1.4
ex: bind the proxy to your internal ip 192.168.1.10

>> squit.conf:
>> port=192.168.1.4:8888
or tcp_incoming_address=192.168.1.10
port=192.168.1.4:8888
or tcp_incoming_address=192.168.1.10

>> iptables -t nat -A PREROUTING -s !192.168.0.4 -d 0.0.0.0/0 -p tcp
>> --dport 80 -i eth0 -j DNAT --to-destination 192.168.0.10:8888

iptables -t nat -A PREROUTING -s !192.168.1.10 -d 0.0.0.0/0 -p tcp
--dport 80 -i eth0 -j DNAT --to-destination 192.168.1.10:8888

>> If this is not clear or fully functionnal, you may also add an ip
>> alias on the proxy box and bind the proxy to this alias ip.

That's the solution (see below).


>> Regards
>
> But doesn't this mean: forward all new connections not comming from
> 192.168.0.4 with destination port 80 to port 8888 on 192.168.0.10 ?

Correct, so use an ip alias to separate the proxy trafic from the client
one (web browser)

> But that's not what I want. I mean I want all connections with
> destination port 80 from the box on which the proxy is running to be
> forwarded to the local port 8888. And those orginating from the proxy
> to be sent out to the world.

I've understand this, but my previous solution works only for the lo
interface.

Using an ip alias, as describe above, should work.


Regards

Antoine EMERIT <reply_to_replay@daubededaube.nothing> wrote in message news:<XnF9507B1D3581CBantoineemerit@212.27.42.69>. ..
> fritz-bayer@web.de (Fritz Bayer) wrote
> news:a9c0aa9e.0406130107.1d02accb@posting.google.c om:
> >> - bind the proxy to a specific ip, not to the lo interface
>
> bind the proxy to an alias interface, not the default one (e.g.
> 192.168.1.10).
>
> >> - change your REDIRECT rule to a DNAT rule to forward port 80 from
> >> any ip except the proxy bind to port 8888 on the proxy binded address
> >>
> >> ex: bind the proxy to your internal ip 192.168.1.4
> ex: bind the proxy to your internal ip 192.168.1.10
>
> >> squit.conf:
> >> port=192.168.1.4:8888
> or tcp_incoming_address=192.168.1.10
> port=192.168.1.4:8888
> or tcp_incoming_address=192.168.1.10
>

Well, I'm not using squid. The proxy I have written myself in java. So
I'm not sure if I can't bind the java socket to an ip address other
than 192.168.1.4 - I'm not even sure if that works, but I guess it
should.


> >> iptables -t nat -A PREROUTING -s !192.168.0.4 -d 0.0.0.0/0 -p tcp
> >> --dport 80 -i eth0 -j DNAT --to-destination 192.168.0.10:8888
>
> iptables -t nat -A PREROUTING -s !192.168.1.10 -d 0.0.0.0/0 -p tcp
> --dport 80 -i eth0 -j DNAT --to-destination 192.168.1.10:8888
>
> >> If this is not clear or fully functionnal, you may also add an ip
> >> alias on the proxy box and bind the proxy to this alias ip.
>
> That's the solution (see below).
>
>
> >> Regards
> >
> > But doesn't this mean: forward all new connections not comming from
> > 192.168.0.4 with destination port 80 to port 8888 on 192.168.0.10 ?
>
> Correct, so use an ip alias to separate the proxy trafic from the client
> one (web browser)
>
> > But that's not what I want. I mean I want all connections with
> > destination port 80 from the box on which the proxy is running to be
> > forwarded to the local port 8888. And those orginating from the proxy
> > to be sent out to the world.
>
> I've understand this, but my previous solution works only for the lo
> interface.
>
> Using an ip alias, as describe above, should work.
>
>
> Regards