Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Iptables to redirect outgoing traffic to loopback

Posted on 2006-04-10
8
Medium Priority
?
3,193 Views
Last Modified: 2012-06-27
I'm using squid and need to redirect outgoing port 80 traffic to the loopback 3128 port.  I used

 iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner *username* -j REDIRECT --to-ports 3128

and setting the browser proxy to 127.0.0.1:80 worked fine.  However, several apps I have work through port 80 and can't be set to "proxy", and they fail.  If I tell my web server to just use port 80 directly I get an error that the host "/" canot be found.

Obviously the above rule is redirecting the hosts request to squid, and thinks my local computer is google.com or whatever.  Squid chokes on just a page name coming in and the whole thing fails.  What I need to do is redirect the request that is going out to a port 80 so the whole request filters through 127.0.0.1:3128 as if it were a proxy.

Is there any way to do this?
0
Comment
Question by:KurtVon
  • 4
  • 4
8 Comments
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16423450
hello KurtVon

You cannot redirect a port in the OUTPUT table. if you want to rewrite destination BEFORE packet is processed, you should use PREROUTING. so, rule is as follow:

iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
($LAN is eth0 or eth1, your internal LAN device)

that's the rule I have on my iptables.

however, you should also configure squid for transparent mode, this is, to review in the headers for the site it should get, since the real ip address has been rewrited to be 127.0.0.1:3128 by your iptables.

So, to run Squid in a transparent mode, enable the following directives in Squid.conf.

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
0
 
LVL 11

Author Comment

by:KurtVon
ID: 16427240
I only have an eth0 on this machine, but the rule doesn't seem to be doing anything.  I checked the iptables list and it is there, but setting the web browser to direct internet connection allows all website through.

Even if the prerouting worked, though, it filters all traffic.  I was hoping to use the owner filter to limit the redirection to just my daughter's whitelisted sites (she's five, I don't think ip filtering at that age is evil).  Now it's not like I want the sixteen year old visiting naked-people-doing-scary-things.com, but I was hoping he was old enough to trust with looser constraints than just visiting noggin.com.
0
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 500 total points
ID: 16428517
Hello KurtVon

this rule is exactly for setting the browser to direct internet connection. it's because of that is called "transparent proxy" because it should behave transparent.

if you do not see the rule doing anything, it should be because you have another rule that match before the one I posted. please change the rule to be
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

you should be able to see if packets are matching and transversing that rule if you issue
iptables -L -vn -t nat
and you should see some packets at the left of the rule (once you browsed, that is)
---------

This said, I feel I didn't understand the whole picture here. Maybe you are trying to setup squid on the same computer you are using for browsing? (Rules I posted where for the case of some machines going to internet thru a linux gateway con squid in transparent mode)

if so, you cannot make transparent proxy unless you enable some extended rules to "NAT" anything from localhost...
in such case I would do this:

setup squid, go to the browser and enable proxy for the browser (your daughter is 5, so no problem she can hack your rules)
and then disable any transaction from localhost to web pages. then yes, your rule makes more sense to me, but the rule should match only direct access:
iptables  -A OUTPUT -p tcp --dport 80 -m owner --uid-owner *username* -j DROP

with this, she will be unable to browse directly, but will need squid to access web. squid should be configured to enable only the whitelists you told.
but your own user will not match the rule thus being able to access anything, of course, no squid for you.

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 11

Author Comment

by:KurtVon
ID: 16428819
Aha, that is the issue.  Since I don't have a machine I keep on all the time, I'm running squid on the machine that is also doing the browsing.  So I set my browser proxy to 127.0.0.1:3128.

And my rule was working fine for blocking non-proxied web browsing.  The problem is she has a weather applet (she's studying weather in school) and an RSS feed from the my little pony website.  Neither of these applets have proxy settings that I can see, so I have to do the redirect in iptables unless there is another trick.  Not that I'm mourning the loss of a live feed from my little pony.

I'd love to rely on just the fact that she doesn't know how to change the proxy settings, but some playdates are with kids that have older brothers, and I'd like to stay on speaking terms with their parents if the kid messes with the settings.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16432133
understood...

could you open only the ip address of the weather site?
0
 
LVL 11

Author Comment

by:KurtVon
ID: 16435910
I'm not sure what you mean.  The app seems to work by doing an http request to the national weather bureau, and then parsing the response page.  Without a way to make it use a proxy I'm not sure what to do.  

If there was some way to control routing on a per-user basis at the interface I could set the routing table itself, but I was given the impression that only iptables can filter like that.  If it can't be done then it can't be done, I guess.
0
 
LVL 11

Author Comment

by:KurtVon
ID: 16438419
Hmph.  Answered my own question.  I have a script set the network to a proxy when she logs in.  Given that, blocking port 80 for her by user will ensure that even editing the proxy settings will not bypass the filter.

Thanks.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16440867
Thank you
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Loops Section Overview
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question