0

I want to redirect all of the traffic from my instance to another instance that’s running a transparent squid proxy, using IP tables rules and NOT changing the instance’s default route.

is it done on the POSTROUTING chain? what is the action? SNAT? MASQUERADE?

Anyone has a working example?

I tried this:

iptables -t nat -A PREROUTING -p tcp -m multiport \
  --dports 80,443,2323 -j DNAT --to-destination squid-ip:3128

iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE

Which obviously doesn't work. Thanks.

Moshe
  • 155
  • 1
  • 7
  • 1
    Please also check https://www.kernel.org/doc/Documentation/networking/tproxy.txt and https://wiki.squid-cache.org/Features/Tproxy4 . Should be tested with a minimal setup to test a PoC first before attempting more complex settings. It's a lot about routing, and a little about iptables. – A.B May 03 '21 at 14:25
  • @A.B care to write an answer? I didn't know about this target, this would be a great enhancement to this question! – Martin May 03 '21 at 14:36
  • @Martin I wouldn't know where to start sorry. It has to work in a simple setup first before attempting anything more complex. instance (probably Docker & co.) qualifies as something more complex. – A.B May 03 '21 at 15:24

1 Answers1

0

This cannot be done easily with iptables; Let me give you some insight. A transparent proxy sits between the user and the internet, and intercepts all packets which is being routed through it. For this to work (in a normal scenario), the transparent proxy looks at the source and the destination address, and does all the steps required to open the connection.

Now, let me tell you why iptables is not such a good choice for your requirements.

  • DNAT (changing the destination IP) is a bad idea, because the transparent proxy would not know anymore which destination the packet was meant for.
  • MASQUERADE is useless in this case, because this is a target to hide source subnets which the destination network has no route to (usually done at a home router to hide the private subnets from the internet)
  • SNAT would be even worse, because changing the source IP would result in the gateway sending back replies to the wrong ip...

What you really need is to dynamically change the gateway for the traffic you selected. Dynamic routing is a complicated topic, which I will not cover here. Maybe you should rethink about changing the default gateway, this would be the easiest solution... Or, place two routes like this:

route add -net 0.0.0.0/1 gw <squid_ip>
route add -net 128.0.0.0/1 gw <squid_ip>

That way, your default gateway remains in place, even though not used anymore. But after deleting those two routes, your default gateway is back in business...

Martin
  • 2,194
  • 7
  • 16
  • Thanks for the detailed answer. I tried to avoid changing the default route but according to your answer, it's inevitable. When trying to add a new route I get `SIOCADDRT: Network is unreachable` any idea? – Moshe May 03 '21 at 14:01
  • sounds like you are trying to add a route to a gateway which is non-local... – Martin May 03 '21 at 14:37