I had the exact same problem, and after almost 1 day, I could solve this problem. This solution is for anyone reading this in the future.
Target: Same as the OP I was trying to reach
Client -> VPN -> Proxy -> Internet
Setup: Ubuntu 16.04
VPN: L2TP using xl2tpd and pptpd, as well as strongswan for encryption
The VPN setup and the Squid Proxy server are on the same machine.
Private IP Pool for handing out IPs to clients: 172.21.118.0/24
As the OP expected, you need to run -j REDIRECT --to-port 3128
on some nat table (either PREROUTING or OUTPUT).
Probing and logging around with the different tables, here is the path each packet originating from 172.21.118.0/24 follows:
mangle PREROUTING -> nat PREROUTING -> mangle FORWARD -> filter FORWARD -> mangle POSTROUTING -> nat POSTROUTING
I understood how this work, using a great illustration of the iptables packet lifecycle:
Source: http://64-bit.de/dokumentationen/netzwerk/e/002/DE-IPTABLES-HOWTO-3.html
As it turned out, this setup does not send anything on the OUTPUT chain, so the only place to redirect a port is the PREROUTING chain.
The solution is simply:
iptables -t nat -I PREROUTING -i ppp0 -s 172.21.118.1/24 -j REDIRECT --to-ports 3128
Also do not forget to SNAT to your public IP in order to reach the internet:
iptables -t nat -A POSTROUTING -j SNAT -s 172.21.118.2/24 --to-source ${IP} -o eth0
#Alternatively but slower:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Best Answer
Yes, on Linux systems this would be
iptables
. However, Kubernetes can also run on BSD and even Windows (for worker nodes), which obviously don't haveiptables
, butpf
and Windows Firewall.The slightly vague wording comes from the fact that they can't name a single packet filter implementation because of these different operating system's implementation of it.