Ubuntu – iptables doesn’t redirect http traffic to the Squid proxy!

iptablesPROXYsquidtransparent-proxy

I arranged a transparent Squid proxy which listens to port 3128 on localhost, to block some web sites.

I've tested the proxy using Firefox, and it works.

Then I ran this, hoping to redirect all the http requests to the proxy:

sudo iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 3128

Sadly, nothing happens. The other browsers in my system don't seem to be using the proxy. I don't want to configure each browser, to use the proxy either.

sudo iptables -L shows no rules assigned.

I'm on Ubuntu 13.04, and using a 3G USB modem (ppp0) to connect to the Internet. Any advice is appreciated!

Best Answer

I think you are missing the destination port, try following

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128

Without dport, you are forwarding traffic with destination port 3128 to local port 3128. What you want is traffic with destination port 80 forward to local port 3128.

Additionally, to show nat rules, use

iptables -t nat -L

However, the above rules will not work for a transparent proxy setup on the same machine of the browser, because PREROUTING chain alters packges before routing from a remote client and it will not do anything for locally generated packets. Thus we should use OUTPUT chain for packets locally generated which are going out from the system.

Try following instead

iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 80 -j REDIRECT --to-port 3128

It will only redirect traffic for processes other than the ones owned by proxy user.

Without -m owner ! --uid-owner proxy, it will not work because the rules will also caught the proxy server outgoing traffic and end up in a loop.

Related Question