1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Transparent proxy on another box

Discussion in 'Tomato Firmware' started by RonV, Aug 3, 2014.

  1. RonV

    RonV Network Guru Member

    Since I can no longer run the squid proxy on the RT-AC87 like I did with my RT-N66U via entware I have been trying to configure iptables to forward port 80 requests from the AC87 to the squid running on the N66U. So far I haven't been able to make this work.

    I have been all over the squid site and other sites that have sample IP table entries and I guess my skill with iptables only applies to really simple things.
    Here is what I have configured so far:

    Internet gateway (AC87) - 192.168.10.252
    squid box (N66U) - 192.168.10.253:3128
    network mask: 255.255.255.0

    Below are the tables I put together from research for the AC87:



    iptables -t nat -A PREROUTING -i br0 ! -s 192.168.10.253 -p tcp --dport 80 -j DNAT --to 192.168.10.253:3128
    iptables -t nat -A POSTROUTING -o br0 -s 192.168.10.0/24 -d 192.168.10.253 -p tcp -j SNAT --to 192.168.10.252
    iptables -I FORWARD -i br0 -o br0 -s 192.168.10.0/24 -d 192.168.10.253 -p tcp --dport 3128 -j ACCEPT

    Has anyone else tried to do an on lan transparent proxy?

    Thanks.
     
    Last edited: Aug 3, 2014
  2. remlei

    remlei Networkin' Nut Member

    to reroute port 80 traffic to proxy do this
    Code:
    iptables -t nat -A PREROUTING -i br0 -s ! 192.168.10.253 -p tcp --dport 80 -j DNAT --to 192.168.10.253:3128
    now we need to bypass some destination router from being intercepted like the admin page of your router and your squid box. If you dont add this, possible things may happen that if squid is not running, you can access those admin pages as they being intercepted

    Code:
    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -d 192.168.10.252 -j RETURN
    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -d 192.168.10.253 -j RETURN
    also make sure that squid is configured as transparent.
     
  3. RonV

    RonV Network Guru Member

    I tried the routing table rules but had to refactor the reroute pool since the iptables version on the RT-AC87R router uses the -! before the -s:

    Code:
    iptables -t nat -A PREROUTING -i br0  ! -s 192.168.10.253 -p tcp --dport 80 -j DNAT --to 192.168.10.253:3128
    After adding the lines all access to the internet was lost by anything using port 80. I kept watching the squid box for at least some activity but nothing showed up.

    I have re-verified the squid box (configuration hasn't changed in 2 years) by setting my browser directly to the proxy and it worked just fine.

    I think there is something that is missing since this should be such a simple task. What else should I look for. Maybe clearing the tables all together and just adding some basic routing for internet etc. Then adding in theses lines?
     
  4. RonV

    RonV Network Guru Member

    I got it to work. Here is the iptables commands I was able to put together:

    Code:
    iptables -t nat -A PREROUTING -i br0 ! -s 192.168.10.253 -p tcp --dport 80 -j DNAT --to 192.168.10.253:3128
    iptables -t nat -A POSTROUTING -o br0 -s 192.168.10.0/24 -d 192.168.10.253 -j SNAT --to 192.168.10.252
    
    iptables -A FORWARD -s 192.168.10.0/24 -d 192.168.10.253 -i br0 -o br0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 3128 -j ACCEPT
    iptables -A FORWARD -d 192.168.10.0/24 -s 192.168.10.253 -i br0 -o br0 -m state --state ESTABLISHED,RELATED -p tcp --sport 3128 -j ACCEPT
     
    Last edited: Aug 7, 2014

Share This Page