0

I'm using Squid Proxy for (DNS Filtering), I have configured squid proxy behind my GCP Cloud NAT in transparent mode to intercept HTTP and HTTPS Web Traffic, I have added only below rules to redirect HTTP and HTTPS traffic to squid.

iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp --dport 443 -j REDIRECT --to-port 3130

But as I have learned so far Squid is a web proxy and only handling HTTP, HTTPS & FTP Requests, Squid does't understand SMTP,UDP and any other protocol request, but above iptables rules only working for HTTP and HTTPS, my rest of the SMTP and UDP request are getting block. As I understand we can't tell squid to handle SMTP and UDP Request therefore I only want to handle HTTP and HTTPS traffic on squid, And I also want rest of my ports directly redirect to my GCP Cloud NAT.

Can anybody help me which iptables rule I should write for only redirect port 80, 443 request to Squid, And rest of the port request I want to bypass or redirect directly to my GCP Cloud NAT

Traffic Flow

Private VM -> Squid Proxy -> GCP Cloud NAT

sanket jaiswal
  • 1
  • 1

1 Answers1

0

To redirect only port 80 and 443 requests to Squid and bypass all other requests, you can modify the existing iptables rules as follows:

  1. Create an ACL in Squid to only allow HTTP and HTTPS requests. This can be done by adding the following lines to your Squid configuration file:

    acl Safe_ports port 80 443 http_access allow Safe_ports

  2. Modify the iptables rules to only redirect HTTP and HTTPS requests to Squid:

    iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp --dport 80 -j REDIRECT --to-port 3129 iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp --dport 443 -j REDIRECT --to-port 3130

  3. Add a new iptables rule to bypass all other requests and redirect them directly to your GCP Cloud NAT. The rule should look like this:

    iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp -m multiport ! --dports 80,443 -j DNAT --to-destination [GCP Cloud NAT IP address]

This rule will match all TCP traffic that is not on port 80 or 443, and redirect it directly to your GCP Cloud NAT.

Make sure to adjust the [GCP Cloud NAT IP address] to the correct IP address of your Cloud NAT instance.

With these rules, only HTTP and HTTPS traffic will be redirected to Squid for filtering, while all other traffic will be bypassed and redirected directly to your GCP Cloud NAT.

Kamil Anwar
  • 1
  • Still my port 25 and other request are getting blocked, I've added above rule it getting packets but in in middle somewhere getting drop, is there any way we can directly forward traffic to next hop without DNAT. – sanket jaiswal Feb 21 '23 at 09:42
  • Working using this solution :- https://stackoverflow.com/questions/2601400/squidiptables-how-do-i-allow-https-to-pass-through-and-bypassing-squid/2607361#2607361 – sanket jaiswal Feb 24 '23 at 06:44