Redirect all non-local traffic to a socks proxy

bandwidthiptablesPROXY

Is it possible to redirect all non-local traffic to a socks proxy?

so, for example i have:

 4 computers (clients A-D: 10.0.0.1-4 or dhcp)
 1 computer with 2 network cards (gateway-server, eth0: 10.0.0.254, eth1: 192.168.1.1)
 1 computer with 2 network cards (router, eth0: 192.168.1.254, eth1: public-ip)

I need to make all computer that through my gateway-server to use socks proxy that installed on gateway-server without need to configure each client's browser.

the purpose is to log all urls and bandwidth usages.

the question is..

is it possible? and if so, how to do it?
if is it not possible, what are the alternative?

Best Answer

Sorry for answering this maybe too late. I'm new on stackexchange and saw it today with no possibility to answer before. Let's work...

To redirect all requests from that pcs to the socks proxy port you'll need some iptables. Let's supposse you have that proxy on port 9050 and the interface name for your card is eth0 (I mean the one of your gateway-server which is connected to the nearest internet side) because you didn't provided data... so completing with some imagination :)

To enable forwarding and to do the NAT masquerading you'll need to execute echo 1 > /proc/sys/net/ipv4/ip_forward and then the iptables rules:

iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

And to redirect all web requests of your internal network clients to the proxy port you'll need:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9050
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 9050

With these rules, the requests arrive to the port on which there must be "something" well configured to get working everything. Good luck! or if I got late to the post, maybe you can share with us how you dealed with this.

Related Solutions

NAT with transparent proxy

Assuming that you want only to redirect traffic coming from eth0, not from localhost, and that your transparent proxy is running on your NAT server, you can do this for HTTP traffic with:

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128

As HTTPS uses end-to-end encryption, you cannot log specific requests without modifications on the client side - otherwise man-in-the-middle attacks would be easy.

Linux Router – How to Use Multiple Internet Providers

Here is a similar setup from one of our routers (with some irrelevant stuff snipped). Note that this handles incoming connections as well.

Note the use of variables instead of hard-coded mark numbers. So much easier to maintain! They're stored in a separate script, and sourced in. Table names are configured in /etc/iproute2/rt_tables. Interface names are set in /etc/udev/rules.d/70-persistent-net.rules.

##### fwmark ######
iptables -t mangle -F
iptables -t mangle -X

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j RETURN # if already set, we're done
iptables -t mangle -A PREROUTING -i wan      -j MARK --set-mark $MARK_CAVTEL
iptables -t mangle -A PREROUTING -i comcast  -j MARK --set-mark $MARK_COMCAST
iptables -t mangle -A PREROUTING -i vz-dsl   -j MARK --set-mark $MARK_VZDSL

iptables -t mangle -A POSTROUTING -o wan     -j MARK --set-mark $MARK_CAVTEL
iptables -t mangle -A POSTROUTING -o comcast -j MARK --set-mark $MARK_COMCAST
iptables -t mangle -A POSTROUTING -o vz-dsl  -j MARK --set-mark $MARK_VZDSL
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

##### NAT ######
iptables -t nat -F
iptables -t nat -X
for local in «list of internal IP/netmask combos»; do
    iptables -t nat -A POSTROUTING -s $local -o wan     -j SNAT --to-source «IP»
    iptables -t nat -A POSTROUTING -s $local -o comcast -j SNAT --to-source «IP»
    iptables -t nat -A POSTROUTING -s $local -o vz-dsl  -j SNAT --to-source «IP»
done

# this is an example of what the incoming traffic rules look like
for extip in «list of external IPs»; do
    iptables -t nat -A PREROUTING   -p tcp -d $extip --dport «port» -j DNAT --to-destination «internal-IP»:443
done

And the rules:

ip rule flush
ip rule add from all               pref 1000  lookup main 
ip rule add from A.B.C.D/29        pref 1500  lookup comcast # these IPs are the external ranges (we have multiple IPs on each connection)
ip rule add from E.F.G.H/29        pref 1501  lookup cavtel
ip rule add from I.J.K.L/31        pref 1502  lookup vzdsl
ip rule add from M.N.O.P/31        pref 1502  lookup vzdsl # yes, you can have multiple ranges
ip rule add fwmark $MARK_COMCAST   pref 2000  lookup comcast
ip rule add fwmark $MARK_CAVTEL    pref 2001  lookup cavtel
ip rule add fwmark $MARK_VZDSL     pref 2002  lookup vzdsl
ip rule add                        pref 2500  lookup comcast # the pref order here determines the default—we default to Comcast.
ip rule add                        pref 2501  lookup cavtel
ip rule add                        pref 2502  lookup vzdsl
ip rule add                        pref 32767 lookup default

The routing tables get set up in /etc/network/interfaces, so that taking down an interface makes it switch to using a different one:

iface comcast inet static
        address A.B.C.Q
        netmask 255.255.255.248
        up ip route add table comcast default via A.B.C.R dev comcast
        down ip route flush table comcast

Note: If you're doing filtering as well (which you probably are) you'll also need to add the appropriate rules to FORWARD to ACCEPT the traffic. Especially for any incoming traffic.

Best Answer

Related Solutions

NAT with transparent proxy

Linux Router – How to Use Multiple Internet Providers

Related Question