0

My understanding is that normally any given packet will only ever interact with one iptables chain either INPUT FORWARD or OUTPUT. However I want to have all traffic on port 80 that has neither its source or destination as the current machine (starts on the FORWARD chain) redirected to the current machine's port 3219 (ends up on the INPUT chain). The purpose of this is I am running a transparent proxy and this machine is the network's router.

An iptables command and an explanation would be ideal but if you have to choose I would definitely prefer an explanation.

o.comp
  • 125
  • 7
  • Your second para has nothing to do with your first. To work with traffic that's simply passing through the machine, you get to it via the `FORWARD` chain. Whether or not it passes through any other `filter` chains is immaterial. – MadHatter Aug 12 '15 at 11:46
  • @MadHatter Would you suggest removing para 1? – o.comp Aug 12 '15 at 11:47
  • And the title, since if para 2 describes what you want to **do**, para 1 and the title are kind of irrelevant. Alternatively, could you explain more clearly why the only-traversing-one-chain thing is a problem. – MadHatter Aug 12 '15 at 11:53
  • 4
    There are many articles on setting up a transparent proxy under Linux. What have you read so far, and what didn't work? – larsks Aug 12 '15 at 11:54
  • I was more hoping for an explanation to what this, for example, is doing: *iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128* – o.comp Aug 12 '15 at 12:00

1 Answers1

0

My understanding is that normally any given packet will only ever interact with one iptables chain either INPUT FORWARD or OUTPUT.

Your understanding is false, or at best simplistic. A packet will usually be processed on at least 3 separate tables and various chains on these tables. When you are looking only at the filter table, then a packet normally will only fit IMPUT/OUTPUT/FORWARD. But on the other tables, you will hit multiple chains, at different stages. For example a packet being routed from one interface to another will hit the PREROUTING, and POSTROUTING chains on the nat table.

There are various flow diagrams you can find for iptables. But none of them really will give you a perfect understanding of what is going on, but look through a bunch of them. Usually you should be able to get an understanding when you look at them together.

Zoredache
  • 130,897
  • 41
  • 276
  • 420