iptables doesn't redirect http traffic to my Squid proxy!
I think you are missing the destination port, try following
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128
Without dport, you are forwarding traffic with destination port 3128 to local port 3128. What you want is traffic with destination port 80 forward to local port 3128.
Additionally, to show nat rules, use
iptables -t nat -L
However, the above rules will not work for a transparent proxy setup on the same machine of the browser, because PREROUTING chain alters packges before routing from a remote client and it will not do anything for locally generated packets. Thus we should use OUTPUT chain for packets locally generated which are going out from the system.
Try following instead
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 80 -j REDIRECT --to-port 3128
It will only redirect traffic for processes other than the ones owned by proxy
user.
Without -m owner ! --uid-owner proxy
, it will not work because the rules will also caught the proxy server outgoing traffic and end up in a loop.
Related videos on Youtube
Naveen
Updated on September 18, 2022Comments
-
Naveen over 1 year
I arranged a transparent Squid proxy which listens to port 3128 on localhost, to block some web sites.
I've tested the proxy using Firefox, and it works.
Then I ran this, hoping to redirect all the http requests to the proxy:
sudo iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 3128
Sadly, nothing happens. The other browsers in my system don't seem to be using the proxy. I don't want to configure each browser, to use the proxy either.
sudo iptables -L
shows no rules assigned.I'm on Ubuntu 13.04, and using a 3G USB modem (
ppp0
) to connect to the Internet. Any advice is appreciated! -
Naveen about 11 years:( No effect.. This is the output: i.imgur.com/OXtNVEw.jpg
-
John Siu about 11 yearswhat is output of 'iptables -t nat -L'
-
Naveen about 11 yearsNow I'm seeing a new NAT rule : tinyuploads.com/images/9aAd1e.jpg
-
Naveen about 11 years..but the other browsers aren't going through the proxy. My squid access.log doesn't record network activities of other browsers.
-
John Siu about 11 yearsHow is your proxy setup? Is it on the same box running the browser or a separate machine? also post output of
ifconfig
. -
Naveen about 11 yearsI'm running the proxy on the same machine I run Web Browsers. It's a transparent Proxy. The proxy runs on the localhost:1328. Here is my squid.conf file: pastebin.com/R2RRhnbP
-
Naveen about 11 yearsHere is the ifconfig output: paste.ubuntu.com/5710110
-
Naveen about 11 yearsI'm using ppp0 device
-
John Siu about 11 yearsAnswer updated.
-
Naveen about 11 yearsOk.... The last command of the your answer returns this : ip_tables: Invalid Argument. owner match: used from hooks PREROUTING, but only valid from OUTPUT/POSTROUTING
-
Naveen about 11 yearsHey John!! It works when a small modification is done to your command! sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 80 -j REDIRECT --to-port 3128 Couldn't have done without your loop theory Thanks a lot! (your bounty will be added after 19 hours, as promised :)
-
John Siu about 11 yearsYou are welcome. I found out I made another mistake in my original answer too. I am too used to 8080 for proxy. LOL.
-
Kulbir Saini about 10 years@JohnSiu I signed up on askubuntu just to up vote your answer! Thanks!