0

Hi I'm using redsocks and iptables port redirection rules to set a transparent proxy, and works fine, but I need to establish iptables rules for non proxy access, to domains, domain1.com and domain2.com, and 10.0.0.0/8 Here is my actual redirection rules.

iptables -t nat -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:5123
iptables -t nat -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 127.0.0.1:5124

where ports 5123 and 5124 are the ports for redsocks

Its posible to bypass the port redirection for the desired domains and ips??

efirvida
  • 121
  • 1
  • 7
  • And what is the question ? What are you trying ? If you configure your client to use a specific port (3128/tcp by example) without transparent configuration, you can also have a "normal" proxy, without writing anything in iptables. – Dom Nov 23 '15 at 18:49
  • @Dom for example If I configure Firefox with the and exceptions works as I need, but I need this for other tools that don't have proxy configuration, and using proxy as global configuration didn't work because my proxy use secure/digest authentication method not plain, and that is why I need the redsocks – efirvida Nov 23 '15 at 19:24
  • You can bypass the rule by adding before the DNAT an other rule with -s 10.0.0.0/8 -j ACCEPT. This will allow the packet without DNAT. Concerning the domain, you can't (at least the iptables will translate the name to IP definitively) – Dom Nov 23 '15 at 19:51
  • @Dom So the rule will be `iptables -t nat -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -s 10.0.0.0/8 -j ACCEPT -j DNAT --to-destination 127.0.0.1:5123` ?? – efirvida Nov 23 '15 at 20:23
  • 1
    iptables -t nat -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -s 10.0.0.0/8 -j ACCEPT, you can not have multiple "-j" option – Dom Nov 24 '15 at 07:20
  • @Dom Many Thanks!!, post it as answer to give you an up-vote – efirvida Nov 24 '15 at 16:07

1 Answers1

1

You can define a ACCEPT rule before your DNAT rule. As usual in iptables, the first matched rule will be applied and no more (can have exception like LOG). So define a rule with -j ACCEPT for your internal networks before a rule with -j DNAT like you propose.

The source IP can be defined in -s 10.0.0.0/8 and a name can be used, but it will be translated in IP. The IP will not be refreshed. Remember that the DNS must be available if you use the name of the host !

iptables -t nat -A OUTPUT -o eth0 -s 10.0.0.0/8 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -t nat -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:5123
iptables -t nat -A OUTPUT -o eth0 -s 10.0.0.0/8 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -t nat -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 127.0.0.1:5124
Dom
  • 6,743
  • 1
  • 20
  • 24