iptables with transparent proxy, how to pass the user IP

Question

I have a local transparent proxy, but my problem is that packets, when re-routed, have the router IP and not the user. These are the rules that I currently have in place:

iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.1.231 -p tcp -m multiport --dport 80 -j DNAT --to 192.168.1.231:3128
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/16 -d 192.168.1.231 -j SNAT --to 192.168.1.1
iptables -A FORWARD -s 192.168.0.0/16 -d 192.168.1.231 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
iptables -I FORWARD -i eth0 -p tcp -m multiport --dport 80 -j DROP

192.168.1.231 = proxy server (squid) + DNS server
192.168.1.1 = iptable/router (centOs)

Everything seems working, but the IP in the proxy LOG is always 192.168.1.1 instead of possibly 192.168.1.46 or 192.168.4.25

this is important for me because I have different squid rules for 192.168.4.XX (DHCP) vs 192.168.1.XX or 192.168.2.XX and it would really help me also with finding who is miss-using the internet.

Thank you, but I do not know iptables, how would I do it without SNAT ? — Fabrizio, Sep 04 '15 at 20:37

Pat · Answer 1 · 2015-09-02T13:39:37.440

2

with this method you can avoid NAT packet alterations.

at iptables box

iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s squid-box
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
ip rule add fwmark 3 table 2
ip route add default via squid-box dev eth1 table 2

at squid box

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

see here for more details http://www.tldp.org/HOWTO/TransparentProxy-6.html

edited Sep 02 '15 at 13:39

answered Sep 02 '15 at 07:52

Pat

3,519
2
17
17

1

Thank you, but the squid box need to have port 80 free for apache – Fabrizio Sep 02 '15 at 11:16

score 0 · Answer 2 · answered Sep 03 '15 at 04:45

I am unsure about my interpretation of your setup. But maybe the forwarding works like this:

# HTTP Forward (TCP Port 80)
iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 192.168.1.1 --dport 80 -j DNAT --to 192.168.1.231:3128
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.1.231 -j SNAT --to-source 192.168.1.1
iptables -A FORWARD -p tcp -s 192.168.1.1 --sport 80 -j ACCEPT

# DNS Forward (TCP & UDP Port 53)
iptables -t nat -A PREROUTING -p udp -s 0/0 -d 192.168.1.1 --dport 53 -j DNAT --to 192.168.1.231:53
iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 192.168.1.1 --dport 53 -j DNAT --to 192.168.1.231:53
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.1.231 -j SNAT --to-source 192.168.1.1
iptables -A FORWARD -p udp -s 192.168.1.1 --sport 53 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.1 --sport 53 -j ACCEPT

score 0 · Answer 3 · answered Sep 05 '15 at 21:14

So your setup looks like this: clients -> router -> proxy. If traffic from proxy to clients flow through the router, you can simply remove the SNAT rule without breaking anything, since the router will see the reply packets and can do the necessary IP translation on them. If it's not the case, then you can add routes on the proxy toward the clients via the router, so we're back to case #1. If this is not possible, then you can also install a HTTP proxy on the router, which will inform your proxy of the original user's IP via an X-Forwarded-for header.

You can also use Pat's answer with a slight modification:

iptables -A PREROUTING -t nat -i eth0 ! -d $proxy_ip -p tcp --dport 80 -j REDIRECT --to-port 3128

This way only the redirected traffic gets redirected again to the squid proxy, and the apache running on the same server can be used normally.

iptables with transparent proxy, how to pass the user IP

3 Answers3