CentOS Proxy – How to Configure a Transparent Proxy with Remote Server

centosPROXYsquid

What I am trying to acheive

I have a CentOS (6.8) box 1.1.1.1 and a remote squid proxy server 2.2.2.2

I am trying to emulate the results of curl http://google.com -x 2.2.2.2:3128 with applications that don't have a HTTP proxy option, and don't respect the http_proxy variable (such as telegraf)

What I have tried so far

I've tried setting up iptables rules to forward traffic to the proxy:

iptables -t nat -A PREROUTING -i eth0 ! -s 2.2.2.2 -p tcp --dport 80 -j DNAT --to 2.2.2.2:3128
iptables -t nat -A POSTROUTING -o eth0 -s 1.1.1.1 -d 2.2.2.2 -j SNAT --to 1.1.1.1
iptables -A FORWARD -s 1.1.1.1 -d 2.2.2.2 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

I then discovered that DNAT doesn't work properly if one is sending the traffic to a remote box, as return traffic doesn't route correctly. Based on this, I moved the application to a docker container (172.17.0.9) on the CentOS box, and planned to keep the iptables config on the host, amending the iptables config thusly:

iptables -t nat -A PREROUTING -i eth0 ! -s 2.2.2.2 -p tcp --dport 80 -j DNAT --to 2.2.2.2:3128
iptables -t nat -A POSTROUTING -o eth0 -s 172.17.0.0/16 -d 2.2.2.2 -j SNAT --to 1.1.1.1
iptables -A FORWARD -s 172.17.0.0/16 -d 2.2.2.2 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

I also tried the following ruleset:

iptables -t nat -A PREROUTING -i eth0 -s 172.17.0.0/16 -p tcp --dport 80 -j DNAT --to-destination 2.2.2.2:3128
iptables -t nat -A POSTROUTING -o eth0 -d 2.2.2.2/32 -j MASQUERADE

The result of both of these rulesets was that http traffic was still attempting to go directly to the destination, rather than through the proxy.

[root@host ~]# tcpdump -nnn host 216.58.201.35
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:26:24.536668 IP 1.1.1.1.38566 > 216.58.201.35.80: Flags [S], seq 3885286223, win 14600, options [mss 1460,sackOK,TS val 2161333858 ecr 0,nop,wscale 9], length 0

The default gateway on the docker container is correctly set to the host, IP forwarding is enabled on the host.

[root@docker /]# ip route
default via 172.17.0.1 dev eth0

[root@host ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Am I missing something obvious here?

Best Answer

RESOLVED

Using iptables ruleset:

-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 2.2.2.2:3128
-A POSTROUTING -s 172.17.0.0/16 -j SNAT --to-source 1.1.1.1

Looks like this was because of the interface being set incorrectly (should have been docker0) -- have removed the interface flag from the iptables rules and works fine now

Related Solutions

Tproxy per user

You don't need --uid-owner in PREROUTING, you need it in OUTPUT (like in your example).

Redirect ALL packets from eth1 & eth2 through a SOCKS proxy

First, you need tun2socks (often a part of the 'badvpn' package). tun2socks sets up a virtual interface which you can route traffic through, and that traffic will get sent through the target socks proxy.

Setting it up gets a little tricky as you only want to route certain traffic through the tunnel.

This script should do what you want:

#!/bin/bash
socks_server=127.0.0.1:8080

id="$RANDOM"
tun="$(printf 'tun%04x' "$id")"
ip tuntap add dev $tun mode tun
ip link set $tun up
ip addr add 169.254.1.1/30 dev $tun
sysctl -w net.ipv4.conf.$tun.forwarding=1
ip rule add fwmark $id lookup $id
ip route add default via 169.254.1.2 table $id
iptables -t mangle -I PREROUTING -i eth1 -p tcp -j MARK --set-mark $id
iptables -t mangle -I PREROUTING -i eth2 -p tcp -j MARK --set-mark $id
badvpn-tun2socks --tundev $tun --netif-ipaddr 169.254.1.2 --netif-netmask 255.255.255.252 --socks-server-addr $socks_server

iptables -t mangle -D PREROUTING -i eth2 -p tcp -j MARK --set-mark $id
iptables -t mangle -D PREROUTING -i eth1 -p tcp -j MARK --set-mark $id
ip route del default via 169.254.1.2 table $id
ip rule del from fwmark $id lookup $id
ip tuntap del dev $tun mode tun

Explanation:

socks_server=127.0.0.1:8080

This is the socks server we will use.

id="$RANDOM"
tun="$(printf 'tun%04x' "$id")"

These generate a random ID to use for the tunnel. Since you may have other tunnels on the system, we can't just use tun0 or tun1. 99% of the time this will work fine. Adjust accordingly though.

ip tuntap add dev $tun mode tun
ip link set $tun up
ip addr add 169.254.1.1/30 dev $tun
sysctl -w net.ipv4.conf.$tun.forwarding=1

These set up the tunnel interface tun2socks will use.

ip rule add fwmark $id lookup $id
ip route add default via 169.254.1.2 table $id

These create a routing table with a single rule which sends any traffic with firewall mark $id (covered next) through the tunnel.

iptables -t mangle -I PREROUTING -i eth1 -p tcp -j MARK --set-mark $id
iptables -t mangle -I PREROUTING -i eth2 -p tcp -j MARK --set-mark $id

These set firewall mark $id on any TCP packets coming in eth1 or eth2. We only want to match TCP. Socks can't handle UDP or ICMP (tun2socks does have a way to forward UDP, but it's more complicated, and so I'm leaving it out).

badvpn-tun2socks --tundev $tun --netif-ipaddr 169.254.1.2 --netif-netmask 255.255.255.252 --socks-server-addr $socks_server

This starts tun2socks up. It'll sit in the foreground until terminated.

iptables -t mangle -D PREROUTING -i eth2 -p tcp -j MARK --set-mark $id
iptables -t mangle -D PREROUTING -i eth1 -p tcp -j MARK --set-mark $id
ip route del default via 169.254.1.2 table $id
ip rule del from fwmark $id lookup $id
ip tuntap del dev $tun mode tun

These tear down everything we created during the setup process. They will only run once badvpn-tun2socks exits.

Best Answer

Related Solutions

Tproxy per user

Redirect ALL packets from eth1 & eth2 through a SOCKS proxy

Explanation:

Related Question