OpenWrt Forum Archive

Topic: [iptables] External proxy for transparent proxying

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
thomasb
23 Jan 2009, 20:20

I have my kamikaze router (10.1.1.1) and a server (10.1.1.2). I'd like to route all port 80 requests from the LAN (except connections from the router or server) through a transparent proxy listening on 10.1.1.2:8888. I've had no luck with any iptables rules I've found so far. I have iptables-mod-nat and iptables-mod-extra installed and tried out various rules but haven't had any success so far.

Can anyone help?

Post #2
MMCM
23 Jan 2009, 20:46

INTERNAL_NETWORK=10.1.1.0/24
LAN=br-lan
LANIP=10.1.1.1
SQUIDIP=10.1.1.2
SQUIDPORT=8888

iptables -t nat -A PREROUTING -i $LAN -s ! $SQUIDIP -p tcp --dport 80 -j DNAT --to $SQUIDIP:$SQUIDPORT
iptables -t nat -A POSTROUTING -o $LAN -s $INTERNAL_NETWORK -d $SQUIDIP -j SNAT --to $LANIP
iptables -A FORWARD -s $INTERNAL_NETWORK -d $SQUIDIP -i $LAN -o $LAN -p tcp --dport $SQUIDPORT -j ACCEPT

Post #3
thomasb
23 Jan 2009, 21:04

Hm, this seems to work. I used prerouting_rule and post_routing_rule. What's the difference between them?

Post #4
MMCM
23 Jan 2009, 21:45

prerouting_rule and postrouting_rule are chains defined by openwrt that are called somewhere in the default PREROUTING and POSTROUTING chains of iptables.

Post #5
doobster
6 May 2009, 07:23

I'm doing exactly this, but after having spent a few hours I cannot get transparent proxy to work.  I believe the problem is that the proxy server is not even receiving the packets from the router.  I looked at all the traffic on port 3128 on the proxy server and nothing was coming in from the router at all.  I have also made the configuration changes to squid to make it transparent.

My assumption is that after performing the iptables changes, my browser on my workstation (192.168.1.222) should just end up going through the proxy server, but instead I timeout waiting for data to come back.  Here's my setup:

INTERNAL_NETWORK=192.168.1.0/24
LAN=br-lan
LANIP=192.168.1.1
SQUIDIP=192.168.1.50
SQUIDPORT=3128

iptables -t nat -A PREROUTING -i $LAN -s ! $SQUIDIP -p tcp --dport 80 -j DNAT --to $SQUIDIP:$SQUIDPORT
iptables -t nat -A POSTROUTING -o $LAN -s $INTERNAL_NETWORK -d $SQUIDIP -j SNAT --to $LANIP
iptables -A FORWARD -s $INTERNAL_NETWORK -d $SQUIDIP -i $LAN -o $LAN -p tcp --dport $SQUIDPORT -j ACCEPT


And here's some more possible relevant information.

/etc/config/network:
Loading defaults                         
Loading synflood protection               
Adding custom chains
Loading zones
Loading rules
Loading forwarding
Loading redirects
Loading includes
catroot@OpenWrt:/etc# cat config/network

config 'switch' 'eth0'
        option 'vlan0' '1 2 3 4 5*'
        option 'vlan1' '0 5'

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'ifname' 'eth0.0'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.1'
        option 'netmask' '255.255.255.0'
        option 'macaddr' ''
        option 'ip6addr' ''
        option 'gateway' ''
        option 'ip6gw' ''
        option 'dns' ''

config 'interface' 'wan'
        option 'ifname' 'eth0.1'
        option 'proto' 'static'
        option 'macaddr' ''
        option 'ipaddr' '173.9.xxx.xxx'
        option 'ip6addr' ''
        option 'netmask' '255.255.255.248'
        option 'gateway' '173.9.xxx.xxx'
        option 'ip6gw' ''
        option 'dns' '68.87.72.130 68.87.77.130'


/etc/config/firewall:
config 'defaults'
        option 'syn_flood' '1'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'lan'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'wan'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'wan'
        option 'mtu_fix' '1'

config 'redirect' 'vnc'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_ip' ''
        option 'src_dport' '5900'
        option 'dest_ip' '192.168.1.50'
        option 'dest_port' '5900'

Output of Route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
173.9.xxx.xxx   *               255.255.255.248 U     0      0        0 eth0.1
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
default         173-9-xxx-xxx-I 0.0.0.0         UG    0      0        0 eth0.1

And I'm running Kamikaze 8.9.

Thanks,
Ross.

Post #6
llazzaro
20 Aug 2009, 01:52

try to use prerouting_rule postrouting_rule and forwarding_rule instead of PREROUTING,POSTROUTING and FORWARD

(Last edited by llazzaro on 20 Aug 2009, 01:52)

Post #7
ck
18 Feb 2012, 22:54

Thanks, using the prerouting_rule postrouting_rule and forwarding_rule instead of the predefined ones did the trick!

The discussion might have continued from here.