What I am trying to acheive
I have a CentOS (6.8) box 1.1.1.1 and a remote squid proxy server 2.2.2.2
I am trying to emulate the results of curl http://google.com -x 2.2.2.2:3128
with applications that don't have a HTTP proxy option, and don't respect the http_proxy
variable (such as telegraf)
What I have tried so far
I've tried setting up iptables rules to forward traffic to the proxy:
iptables -t nat -A PREROUTING -i eth0 ! -s 2.2.2.2 -p tcp --dport 80 -j DNAT --to 2.2.2.2:3128
iptables -t nat -A POSTROUTING -o eth0 -s 1.1.1.1 -d 2.2.2.2 -j SNAT --to 1.1.1.1
iptables -A FORWARD -s 1.1.1.1 -d 2.2.2.2 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
I then discovered that DNAT doesn't work properly if one is sending the traffic to a remote box, as return traffic doesn't route correctly. Based on this, I moved the application to a docker container (172.17.0.9) on the CentOS box, and planned to keep the iptables config on the host, amending the iptables config thusly:
iptables -t nat -A PREROUTING -i eth0 ! -s 2.2.2.2 -p tcp --dport 80 -j DNAT --to 2.2.2.2:3128
iptables -t nat -A POSTROUTING -o eth0 -s 172.17.0.0/16 -d 2.2.2.2 -j SNAT --to 1.1.1.1
iptables -A FORWARD -s 172.17.0.0/16 -d 2.2.2.2 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
I also tried the following ruleset:
iptables -t nat -A PREROUTING -i eth0 -s 172.17.0.0/16 -p tcp --dport 80 -j DNAT --to-destination 2.2.2.2:3128
iptables -t nat -A POSTROUTING -o eth0 -d 2.2.2.2/32 -j MASQUERADE
The result of both of these rulesets was that http traffic was still attempting to go directly to the destination, rather than through the proxy.
[root@host ~]# tcpdump -nnn host 216.58.201.35
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:26:24.536668 IP 1.1.1.1.38566 > 216.58.201.35.80: Flags [S], seq 3885286223, win 14600, options [mss 1460,sackOK,TS val 2161333858 ecr 0,nop,wscale 9], length 0
The default gateway on the docker container is correctly set to the host, IP forwarding is enabled on the host.
[root@docker /]# ip route
default via 172.17.0.1 dev eth0
[root@host ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
Am I missing something obvious here?
Best Answer
RESOLVED
Using iptables ruleset:
Looks like this was because of the interface being set incorrectly (should have been docker0) -- have removed the interface flag from the iptables rules and works fine now