4

I'm trying to force one PC to use a remote transparent squid proxy by re-routing all outgoing packets headed for port 80 to the squid proxy, although I'm having some difficulty with the exact iptables command line.

The mini-HOWTO at http://tldp.org/HOWTO/TransparentProxy-6.html has some good links for the two "extreme" cases: a three (or more) machine setup which has a client, router, and proxy, and a single machine setup where all three on the same machine.

In my setup, I have a machine (called foo), with an IP of 192.168.1.100. Normally, it connects to the internet through a router at 192.168.1.1, which does NAT and has a public IP. In this case, foo also is connected via an OpenVPN tunnel (foo's tunnel address is 10.8.0.5/6) to a machine called bar (remote address 10.8.0.1), which runs squid. I want to use iptables to route all outgoing packets from foo headed for port 80 to bar's squid proxy, on port 3128.

I haven't been able to figure out which chain and which targets to use; all my attempts have either been illegal (-A OUTPUT without -t nat and --to-destination) or just not done any good (various combinations of -A PREROUTING, OUTPUT, POSTROUTING, etc).

EDIT: The closest I think I got was this:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 10.8.0.1:3128

Now, no port 80 traffic gets anywhere, but at least it's getting processed. Using -A PREROUTING fails... maybe because the packets originate locally instead of being routed through the machine?

Mikeage
  • 2,741
  • 6
  • 26
  • 37

3 Answers3

3

If I understand you correctly, what you want to do isn't going to be handled simply by configuring iptables. The REDIR target can only be used to target processes running on the local system. I believe attempting to use a DNAT target to forward the to the remote squid box would remove some of the information the remote squid box needs to properly handle the request

If you allow me to guess a bit. I think you are trying to leave the default gateway as 192.168.1.1 on your host and then send your port 80 traffic across the vpn right?

The remote squid needs some configuration so that it can actually act as a transparent proxy. If you can setup the correct iptables redirection on the squid host, and the remote host is in the network path, then it is possible to do use some advanced routing to forward all port 80 requests across the vpn.

P.S. If I am understanding your needs correctly add a comment, I can update my answer with more details about how to setup routing.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • I do want to leave the default gateway. I want to send port 80 traffic over the VPN, but to an intercepting proxy, not just via routing. – Mikeage May 15 '09 at 03:54
  • I've kind of given up on doing this just with iptables; I'm now trying routing. I have a problem with the basic routing, which I posted at http://serverfault.com/questions/9022/openvpn-iptables-nat-routing -- any ideas? – Mikeage May 17 '09 at 02:45
1

Go to foo and do this: telnet 10.8.0.1 3128

Does it work? In that case your vpn works!

Can you do a 

GET / HTTP/1.1
Host: www.heise.de

Will it show a page? Then squid is configured to work as transparent proxy!

In that case the simple rules from your link should work:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.8.0.1:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d 10.8.0.1 -j SNAT --to iptables-box

(foo is the iptables-box you are working on)

Does this work?

Christian
  • 1,052
  • 5
  • 16
  • 24
  • The VPN works, and squid works. That was the easy part :) Your iptables rules look similat to the things I tried, but don't work. I think they're for the cases where there's externally generated traffic in 192.168.1.x which passes through 192.168.1.100. I need to forward traffic originating there. – Mikeage May 15 '09 at 03:55
  • If you get the first rule to run, then you should at least not be able to visit webpages anymore. tshark -i tunx or similiar on foo and bar should show yout hat SYN-pakets for port 80 go over the VPN. Is that the case? Then we could look at the rest. What does "does not work" mean? What is your forward policy? Can you allow any kind of forwarding? The first rule above needs that forwaring over the vpn interface is allowed. Maybe you post your existing rules and what "ip a" and route print or route shows? – Christian May 15 '09 at 11:11
  • I don't think PREROUTING is right, since the packets originate on the 192.168.1.100 machine. If I use iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 10.8.0.1:3128, then I can see that no traffic goes can exit from 192.168.1.100 on port 80, but it doesn't arrive at 10.8.0.1 on port 3128. There's nothing firewalling any connections on 10.8.0.1 -- I can also telnet there from 192.168.1.100 on port 3128 and get to squid. – Mikeage May 15 '09 at 11:25
0

here you can see a brief article about transparent proxy with squid and iptables http://www.linuxconfig.net/2009/11/14/creating-transparent-proxy-with-squid-and-iptables.html