7

I arranged a transparent Squid proxy which listens to port 3128 on localhost, to block some web sites.

I've tested the proxy using Firefox, and it works.

Then I ran this, hoping to redirect all the http requests to the proxy:

sudo iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 3128

Sadly, nothing happens. The other browsers in my system don't seem to be using the proxy. I don't want to configure each browser, to use the proxy either.

sudo iptables -L shows no rules assigned.

I'm on Ubuntu 13.04, and using a 3G USB modem (ppp0) to connect to the Internet. Any advice is appreciated!

Eliah Kagan
  • 116,445
  • 54
  • 318
  • 493
Naveen
  • 9,235
  • 11
  • 42
  • 68

1 Answers1

13

I think you are missing the destination port, try following

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128

Without dport, you are forwarding traffic with destination port 3128 to local port 3128. What you want is traffic with destination port 80 forward to local port 3128.

Additionally, to show nat rules, use

iptables -t nat -L

However, the above rules will not work for a transparent proxy setup on the same machine of the browser, because PREROUTING chain alters packges before routing from a remote client and it will not do anything for locally generated packets. Thus we should use OUTPUT chain for packets locally generated which are going out from the system.

Try following instead

iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 80 -j REDIRECT --to-port 3128

It will only redirect traffic for processes other than the ones owned by proxy user.

Without -m owner ! --uid-owner proxy, it will not work because the rules will also caught the proxy server outgoing traffic and end up in a loop.

sgon00
  • 103
  • 2
John Siu
  • 2,581
  • 1
  • 18
  • 23
  • :( No effect.. This is the output: http://i.imgur.com/OXtNVEw.jpg – Naveen Apr 15 '13 at 09:48
  • 2
    what is output of 'iptables -t nat -L' – John Siu Apr 15 '13 at 10:20
  • Now I'm seeing a new NAT rule : http://www.tinyuploads.com/images/9aAd1e.jpg – Naveen Apr 15 '13 at 10:28
  • ..but the other browsers aren't going through the proxy. My squid access.log doesn't record network activities of other browsers. – Naveen Apr 15 '13 at 10:30
  • 1
    How is your proxy setup? Is it on the same box running the browser or a separate machine? also post output of `ifconfig`. – John Siu Apr 15 '13 at 10:42
  • I'm running the proxy on the same machine I run Web Browsers. It's a transparent Proxy. The proxy runs on the localhost:1328. Here is my squid.conf file: http://pastebin.com/R2RRhnbP – Naveen Apr 15 '13 at 11:14
  • Here is the **ifconfig** output: http://paste.ubuntu.com/5710110/ – Naveen Apr 15 '13 at 11:16
  • I'm using **ppp0** device – Naveen Apr 15 '13 at 11:17
  • Answer updated. – John Siu Apr 15 '13 at 11:30
  • Ok.... The last command of the your answer returns this : ip_tables: **Invalid Argument. owner match: used from hooks PREROUTING, but only valid from OUTPUT/POSTROUTING** – Naveen Apr 15 '13 at 11:36
  • Hey John!! It works when a small modification is done to your command! **sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 80 -j REDIRECT --to-port 3128** Couldn't have done without your loop theory **Thanks a lot!** (your bounty will be added after 19 hours, as promised :) – Naveen Apr 15 '13 at 12:19
  • You are welcome. I found out I made another mistake in my original answer too. I am too used to 8080 for proxy. LOL. – John Siu Apr 15 '13 at 12:55
  • 1
    @JohnSiu I signed up on askubuntu just to up vote your answer! Thanks! – Kulbir Saini Mar 25 '14 at 20:23