Re: iptables transparent proxy
From: Antoine EMERIT (reply_to_replay_at_daubededaube.nothing)
Date: 13 Jun 2004 15:28:50 GMT
email@example.com (Fritz Bayer) wrote
>> - bind the proxy to a specific ip, not to the lo interface
bind the proxy to an alias interface, not the default one (e.g.
>> - change your REDIRECT rule to a DNAT rule to forward port 80 from
>> any ip except the proxy bind to port 8888 on the proxy binded address
>> ex: bind the proxy to your internal ip 192.168.1.4
ex: bind the proxy to your internal ip 192.168.1.10
>> iptables -t nat -A PREROUTING -s !192.168.0.4 -d 0.0.0.0/0 -p tcp
>> --dport 80 -i eth0 -j DNAT --to-destination 192.168.0.10:8888
iptables -t nat -A PREROUTING -s !192.168.1.10 -d 0.0.0.0/0 -p tcp
--dport 80 -i eth0 -j DNAT --to-destination 192.168.1.10:8888
>> If this is not clear or fully functionnal, you may also add an ip
>> alias on the proxy box and bind the proxy to this alias ip.
That's the solution (see below).
> But doesn't this mean: forward all new connections not comming from
> 192.168.0.4 with destination port 80 to port 8888 on 192.168.0.10 ?
Correct, so use an ip alias to separate the proxy trafic from the client
one (web browser)
> But that's not what I want. I mean I want all connections with
> destination port 80 from the box on which the proxy is running to be
> forwarded to the local port 8888. And those orginating from the proxy
> to be sent out to the world.
I've understand this, but my previous solution works only for the lo
Using an ip alias, as describe above, should work.