NAT with transparent proxy

http-proxyiptables

is there a way to redirect all non local http requests that through my computer to use my transparent proxy, so i can log all websites are they visiting?

and if possible all https requests too..

my computer was used as NAT server because we only have 1 real IP..

eth1 = w.x.y.z (real/public IP)
eth0 = a.b.c.d (fake/private IP)

my transparent proxy listen on localhost:3128

all computers in my home connected to eth0 to access the internet..

Best Answer

Assuming that you want only to redirect traffic coming from eth0, not from localhost, and that your transparent proxy is running on your NAT server, you can do this for HTTP traffic with:

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128

As HTTPS uses end-to-end encryption, you cannot log specific requests without modifications on the client side - otherwise man-in-the-middle attacks would be easy.

Related Solutions

IPTables and transparent proxies

Both parts of your question are linked.

Part (1) captures a SYN packet and redirects it as you suggest. From this point conntrack (2) takes over and recognises that each subsequent packet in that stream is part of the same connection and redirects it in the same way as the original SYN packet.

An overview of Connection Tracking can be found at http://en.wikipedia.org/wiki/Netfilter#Connection_Tracking

Debian Wheezy subnet configuration (proxy, MASQUARADing etc.)

Assuming that what you're looking for is to provide internal hosts to access the internet via your server:

First you need to set this box as the default gateway for the nodes.

Second you need to enable IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Third you need to masquerade (SNAT) the outgoing traffic from these hosts:

iptables -I POSTROUTING -o eth1 -j MASQUERADE

This should be all that you need.

Best Answer

Related Solutions

IPTables and transparent proxies

Debian Wheezy subnet configuration (proxy, MASQUARADing etc.)

Related Question