Redirect traffic to squid with iptables on the same machine

Posted on 2013-01-30
Last Modified: 2013-01-30
I have set up squid (v.3.2.6) to block distractions like Facebook, GMail, YouTube on a specific machine, which runs Arch Linux. This works fine, if I set the proxy settings for the browser to squid (localhost:3128).

Now I want to redirect all traffic to the squid proxy. This should be possible with iptables (v.1.4.16) NAT table, but the sample solutions I have found don’t work for me. This does nothing:
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

Open in new window

I also set the squid port to:
http_port 3128 intercept

If I change the PREROUTING to OUTPUT the whole traffic seems to go over squid, but I get the error “The requested URL could not be retrieved”.

Just to clarify squid and iptables are on the same machine. Any suggestions?
Question by:Zibi92
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 19

Expert Comment

ID: 38834775
Do you have a prior rule which permits localhost (i.e., squid) to reach dport 80?   If not, then all your squid proxying will also be redirected back to itself.

Note that your description is a little light on which interface(s) this applies to and also how the Linux box sits in the network topology (is it the gateway?).

Author Comment

ID: 38834852
I'm very new to networking (read some articles for the past 2 days), so I try to understand what you mean.

With prior rule do you mean a rule in iptables.rules? For testing purposes I allowed everything (I think):
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
#-A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128

Open in new window

The linux box is connected over a LAN card (eth0) to a router, which is connected to the internet. (I hope you mean this with network topology)

Author Comment

ID: 38837027
Ok I found something, that works:
-A OUTPUT -p tcp --dport 80 -m owner --gid-owner proxy -j ACCEPT
-A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128

Open in new window

But what is the difference between ":OUTPUT ACCEPT [0:0]" (which I thought accepts everything) and this specific rule (in line 2) that accepts the OUTPUT, if it comes from the proxy group?

Did I understand the picture in this tutorial right:
I have to use the OUTPUT chain in this case (instead of the PREROUTING chain), because the packet is locally generated and delivered.
LVL 19

Accepted Solution

Barthax earned 500 total points
ID: 38837457
The output from Squid (which is --gid-owner proxy) must be headed to the correct Internet port outside your building.  For example, Google's server is on ports 80 (HTTP) and 443 (HTTPS) so a Google request from your Squid (acting on behalf of your proxied client) must reach the destination with dport 80.  If your Squid's outbound packet is altered to port 3128, it will reach Google's servers and not be served by the HTTP server residing there.

You have the tutorial correct.  The localhost generates packets (rather than sending packets into the network card) and therefore has no associated input activity for a PREROUTING rule to occur.

Sorry for the confusion earlier - your original indicates the need to redirect all traffic through the Squid and so I had thought the machine was acting as a bridge between two segments.  I didn't realise you intended all traffic generated by the machine itself.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below.…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question