Link to home
Start Free TrialLog in
Avatar of Zibi92
Zibi92

asked on

Redirect traffic to squid with iptables on the same machine

I have set up squid (v.3.2.6) to block distractions like Facebook, GMail, YouTube on a specific machine, which runs Arch Linux. This works fine, if I set the proxy settings for the browser to squid (localhost:3128).

Now I want to redirect all traffic to the squid proxy. This should be possible with iptables (v.1.4.16) NAT table, but the sample solutions I have found don’t work for me. This does nothing:
*nat
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT

Open in new window


I also set the squid port to:
http_port 3128 intercept

If I change the PREROUTING to OUTPUT the whole traffic seems to go over squid, but I get the error “The requested URL could not be retrieved”.

Just to clarify squid and iptables are on the same machine. Any suggestions?
Avatar of Barthax
Barthax
Flag of United Kingdom of Great Britain and Northern Ireland image

Do you have a prior rule which permits localhost (i.e., squid) to reach dport 80?   If not, then all your squid proxying will also be redirected back to itself.

Note that your description is a little light on which interface(s) this applies to and also how the Linux box sits in the network topology (is it the gateway?).
Avatar of Zibi92
Zibi92

ASKER

I'm very new to networking (read some articles for the past 2 days), so I try to understand what you mean.

With prior rule do you mean a rule in iptables.rules? For testing purposes I allowed everything (I think):
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
#-A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] 
COMMIT

Open in new window


The linux box is connected over a LAN card (eth0) to a router, which is connected to the internet. (I hope you mean this with network topology)
Avatar of Zibi92

ASKER

Ok I found something, that works:
*nat
-A OUTPUT -p tcp --dport 80 -m owner --gid-owner proxy -j ACCEPT
-A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT

Open in new window

But what is the difference between ":OUTPUT ACCEPT [0:0]" (which I thought accepts everything) and this specific rule (in line 2) that accepts the OUTPUT, if it comes from the proxy group?

Did I understand the picture in this tutorial right:
I have to use the OUTPUT chain in this case (instead of the PREROUTING chain), because the packet is locally generated and delivered.
ASKER CERTIFIED SOLUTION
Avatar of Barthax
Barthax
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial