Tuesday, August 12, 2008

Transparent proxy | Iptables

This is a quick guide on how to do transparent proxy using Iptables rule, if you don't want your users to know their going through a proxy server/appliance and don't want to configur their work station,

If you have a proxy in different machine use the following rule

iptables -t nat -A PREROUTING -i incominginterface -p tcp --dport 80 -j DNAT --to proxyip:proxyport

If you have proxy service on the same machine use the following rule

iptables -t nat -A PREROUTING -i incomminginterface -s sourceip -p tcp --dport 80 -j REDIRECT --to-port proxyport

Make sure that your post route rule is on the same IP block as your proxy server, otherwise you will need to add route on yor routing tables and add the following rule to your Iptables

iptables -t nat -A POSTROUTING -o outgoinginterface -s sourcedip -d destinationip -j SNAT --to sourceip-mustbesameblockasdestinationip

For the Outgoing interface, if you have IP aliasing(Multiple IP on single NIC) setup, you can specify the same interface, but you still need to add route to your routing table from one block to the other.

Take NOTE that transparent proxy only works with proxy that doesn't have authentication setup.

Thats it for a quick guide.

Thanks for the correction! :)

1 comment:

Anonymous said...

Did you misstypo in the second rule that "incommingip" should be "incominginterface" ?

For suggestion and concerns E-mail