Zibi92
asked on
Redirect traffic to squid with iptables on the same machine
I have set up squid (v.3.2.6) to block distractions like Facebook, GMail, YouTube on a specific machine, which runs Arch Linux. This works fine, if I set the proxy settings for the browser to squid (localhost:3128).
Now I want to redirect all traffic to the squid proxy. This should be possible with iptables (v.1.4.16) NAT table, but the sample solutions I have found don’t work for me. This does nothing:
I also set the squid port to:
http_port 3128 intercept
If I change the PREROUTING to OUTPUT the whole traffic seems to go over squid, but I get the error “The requested URL could not be retrieved”.
Just to clarify squid and iptables are on the same machine. Any suggestions?
Now I want to redirect all traffic to the squid proxy. This should be possible with iptables (v.1.4.16) NAT table, but the sample solutions I have found don’t work for me. This does nothing:
*nat
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT
I also set the squid port to:
http_port 3128 intercept
If I change the PREROUTING to OUTPUT the whole traffic seems to go over squid, but I get the error “The requested URL could not be retrieved”.
Just to clarify squid and iptables are on the same machine. Any suggestions?
ASKER
I'm very new to networking (read some articles for the past 2 days), so I try to understand what you mean.
With prior rule do you mean a rule in iptables.rules? For testing purposes I allowed everything (I think):
The linux box is connected over a LAN card (eth0) to a router, which is connected to the internet. (I hope you mean this with network topology)
With prior rule do you mean a rule in iptables.rules? For testing purposes I allowed everything (I think):
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
#-A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
The linux box is connected over a LAN card (eth0) to a router, which is connected to the internet. (I hope you mean this with network topology)
ASKER
Ok I found something, that works:
Did I understand the picture in this tutorial right:
I have to use the OUTPUT chain in this case (instead of the PREROUTING chain), because the packet is locally generated and delivered.
*nat
-A OUTPUT -p tcp --dport 80 -m owner --gid-owner proxy -j ACCEPT
-A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT
But what is the difference between ":OUTPUT ACCEPT [0:0]" (which I thought accepts everything) and this specific rule (in line 2) that accepts the OUTPUT, if it comes from the proxy group?Did I understand the picture in this tutorial right:
I have to use the OUTPUT chain in this case (instead of the PREROUTING chain), because the packet is locally generated and delivered.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Note that your description is a little light on which interface(s) this applies to and also how the Linux box sits in the network topology (is it the gateway?).