?
Solved

Using iptables to route traffic through a proxy

Posted on 2007-07-26
13
Medium Priority
?
3,363 Views
Last Modified: 2008-01-09
Hey guys. I'm wondering if it's possible to route a specific address in my network through a proxy directly on the router. I need this because the device does not support entry of a proxy server to connect to the net and i want to anonymise it.

How would i go about doing that? I have been experimenting but haven't been able to. The proxy would be outside of my network and i need the rule to affect only one IP address in my network, on port 3074 udp.

Any ideas are appreciated! Thanks a lot!
0
Comment
Question by:hacktek
  • 7
  • 5
13 Comments
 
LVL 18

Expert Comment

by:chuckyh
ID: 19576398
Maybe you should describe what you are trying to do so we can get a bigger picture. What kind of router is this?
0
 

Author Comment

by:hacktek
ID: 19578490
Sorry about that, i should have specified that since not all routers are equal. I have a Linksys WRT54G v4 running HyperWRT, which has a telnet mode on which i can access the modem's shell. From here i can manipulate iptables in the same fashion one would do on a linux workstation or server. Basically i want to route traffic from a certain device in my network and on a certain port (192.168.1.115:3074) through a transparent proxy, which could be on my own network or outside of it.
0
 

Author Comment

by:hacktek
ID: 19597080
Wow this can't be THAT hard that nobody has an answer =/
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 3

Expert Comment

by:gb-sdc
ID: 19623231
Port 3074 is that the source port of the traffic or the destination port on the proxy? (Web traffic is

Do you know what the interface names on that router (I can't remember what they are - could be wan0 lan0 ... maybe)?
0
 

Author Comment

by:hacktek
ID: 19629997
Port 3074 is the source of the traffic and the interface would be br0. The destination port of the proxy would most likely be 3128 or something along those lines, although that's not all that important for now. :)
0
 
LVL 3

Accepted Solution

by:
gb-sdc earned 2000 total points
ID: 19630425
The rules would be different depending on whether the proxy is on the inside, or the outside of your network.

Outside (easiest):
---
iptables -t nat -A PREROUTING -s x.x.x.x -p tcp --sport 3074 -i br0 -j DNAT --to y.y.y.y:Y

Replace x.x.x.x with the source IP address, y.y.y.y with the proxy IP address, and Y with proxy port.

If your router is already properly configured to do NAT then I think this is all you would need.
---

Inside:
---
iptables -t nat -A PREROUTING -s x.x.x.x -p tcp --sport 3074 -i br0 -j DNAT --to y.y.y.y:Y
iptables -t nat -A POSTROUTING -d y.y.y.y -p tcp --dport Y -j SNAT --to z.z.z.z

Replace x.x.x.x with the source IP address, y.y.y.y with the proxy IP address, Y with proxy port, and z.z.z.z with the internal IP address of the router.

You might also be able to get away with using this POSTROUTING rule instead (still need the PREROUTING rule):

iptables -t nat -A POSTROUTING -d y.y.y.y -p tcp --dport Y -j MASQUERADE
---
0
 

Author Comment

by:hacktek
ID: 19630555
Thx! A couple more questions though:

1- The source ip address for the prerouting rule is the device's internal ip address or the public ip the router uses?

2- Is it possible that i can route the packets from one protocol to another (or is it possible to set up a proxy that accepts connections on an udp port?

Thanks a lot, the points are almost yours :P
0
 

Author Comment

by:hacktek
ID: 19630559
I ask the second question because the protocol of port 3074 is udp and the proxy i set up (Tor) listens on 8118 tcp.
0
 
LVL 3

Expert Comment

by:gb-sdc
ID: 19631662
1 = internal ip of the device that you want to redirect to the proxy
2 = I don't think so. The proxy needs to be able to handle UDP traffic.
0
 
LVL 3

Expert Comment

by:gb-sdc
ID: 19631664
0
 

Author Comment

by:hacktek
ID: 19631958
Thank you! You've been a great help! :)
0
 

Author Comment

by:hacktek
ID: 19631999
By the way, z.z.z.z would be the router's ip address right? (192.168.1.1)
0
 
LVL 3

Expert Comment

by:gb-sdc
ID: 19632264
Yup, that's the one.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question