• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1236
  • Last Modified:

Redirect traffic to squid with iptables on the same machine

I have set up squid (v.3.2.6) to block distractions like Facebook, GMail, YouTube on a specific machine, which runs Arch Linux. This works fine, if I set the proxy settings for the browser to squid (localhost:3128).

Now I want to redirect all traffic to the squid proxy. This should be possible with iptables (v.1.4.16) NAT table, but the sample solutions I have found don’t work for me. This does nothing:
*nat
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT

Open in new window


I also set the squid port to:
http_port 3128 intercept

If I change the PREROUTING to OUTPUT the whole traffic seems to go over squid, but I get the error “The requested URL could not be retrieved”.

Just to clarify squid and iptables are on the same machine. Any suggestions?
0
Zibi92
Asked:
Zibi92
  • 2
  • 2
1 Solution
 
BarthaxCommented:
Do you have a prior rule which permits localhost (i.e., squid) to reach dport 80?   If not, then all your squid proxying will also be redirected back to itself.

Note that your description is a little light on which interface(s) this applies to and also how the Linux box sits in the network topology (is it the gateway?).
0
 
Zibi92Author Commented:
I'm very new to networking (read some articles for the past 2 days), so I try to understand what you mean.

With prior rule do you mean a rule in iptables.rules? For testing purposes I allowed everything (I think):
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
#-A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] 
COMMIT

Open in new window


The linux box is connected over a LAN card (eth0) to a router, which is connected to the internet. (I hope you mean this with network topology)
0
 
Zibi92Author Commented:
Ok I found something, that works:
*nat
-A OUTPUT -p tcp --dport 80 -m owner --gid-owner proxy -j ACCEPT
-A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT

Open in new window

But what is the difference between ":OUTPUT ACCEPT [0:0]" (which I thought accepts everything) and this specific rule (in line 2) that accepts the OUTPUT, if it comes from the proxy group?

Did I understand the picture in this tutorial right:
I have to use the OUTPUT chain in this case (instead of the PREROUTING chain), because the packet is locally generated and delivered.
0
 
BarthaxCommented:
The output from Squid (which is --gid-owner proxy) must be headed to the correct Internet port outside your building.  For example, Google's server is on ports 80 (HTTP) and 443 (HTTPS) so a Google request from your Squid (acting on behalf of your proxied client) must reach the destination with dport 80.  If your Squid's outbound packet is altered to port 3128, it will reach Google's servers and not be served by the HTTP server residing there.

You have the tutorial correct.  The localhost generates packets (rather than sending packets into the network card) and therefore has no associated input activity for a PREROUTING rule to occur.

Sorry for the confusion earlier - your original indicates the need to redirect all traffic through the Squid and so I had thought the machine was acting as a bridge between two segments.  I didn't realise you intended all traffic generated by the machine itself.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now