force LAN hosts to go through proxy

linux debian iptables firewall proxy

7,543

There are at least two ways of doing this:

Proxy auto-configuration URL via DHCP
Transparent proxy redirection with iptables

The first option uses WPAD mechanism:

In your DHCP server config, you must include option 252 (e.g. for dhcpd):

option local-proxy-config code 252 = text;
...
subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.20 192.168.0.30;
  ...
  option local-proxy-config "http://your_http_server/proxy.pac";
}

Your proxy.pac is just a bit of JS which tells the browser what to proxy (e.g.):

function FindProxyForURL(url, host) {
    var proxy = "PROXY your_proxy_server:3128; DIRECT";
    var direct = "DIRECT";

    // no proxy for local hosts without domain:
    if(isPlainHostName(host)) return direct;

    // proxy everything else:
    return proxy;
}

The second option is to use iptables to redirect http traffic transparently (e.g.):

iptables -t nat -A PREROUTING -i eth0 -s ! your_proxy_server -p tcp --dport 80 -j DNAT --to your_proxy_server:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d your_proxy_server -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d your_proxy_server -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

7,543

Guss

Updated on September 18, 2022

Comments

Guss almost 2 years

I have an IPTables firewall on a Debian server, with a bunch of hosts behind it with masquerading. In the upstream network I don't have direct access to the internet, and I need to go through a proxy server to get to web sites.

I want the hosts behind my firewall to automatically go through the proxy server without each host needing to set up proxy on their own (mostly because I want to be able to change the proxy address in a single point, because I have different proxies for different network scenarios).

Is there a way to have IPTables force all outgoing traffic on port 80 and 443 to go through the proxy? If not, can I use some other readily available software to get the behavior I need?
jirib over 10 years

FYI, some dhcp options are ignored by some dhcp clients, it depends if you OS can support it out of the box or you have to hack it.
Guss over 10 years

@Chainik: I don't understand, in your iptables setup, what interface is upstream and what is downstream. Lets say that eth0 is upstream and eth1 is the LAN behind the firewall. How would that work?
Guss over 10 years

I'm not interested in running a proxy on the firewall, mainly because I'd still need to use the outboard proxy anyway, so it seems like a redundant setup. I'm familiar with -j REDIRECT but as far as I know its only to ports on the localhost.
ab77 over 10 years

In the example above, they specified '-i eth0' and then '-o eth0', which stands for input interface eth0 and output interface eth0. If your packets are entering and leaving on different interfaces, you will need to adjust the commands accordingly. So in your case, adjust all input instances to '-i eth1' and all output instances to '-o eth0'. Hope that makes sense..
JDS over 8 years

"--to" is not listed as an argument in iptables man pages, or anywhere on the googles. can anyone explain where the "--to your_proxy_server:3128" and the other "--to ..." args are coming from?
ab77 over 8 years

Those args are specific to *NAT commands: netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html