2

have a Linux as router, eth0 (192.168.0.60) connect to LAN, eth1 (10.100.33.239) connect to Internet. squid works well, I can set 10.100.33.239:3128 or 192.168.0.60:3128 as proxy in web browser and visit http and https web-site.

now, I want to use iptables to setup transparent proxy, which means I can visit web site without setting proxy in my web browser.

Now, http is OK, but https is failed. would someone help me? thank you!

iptables config

iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 10.100.33.239
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.60:3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
Improve this question
1

1 Answer 1

Reset to default
-1

You need also forward eth0 incomes on port 443 to squid listen port 3128, to be able using transparent proxy for the https requests.

Try to add this to your iptable:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.60:3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128
Improve this answer
2
  • can you expand at all?
    – Outdated Computer Tech
    Commented Feb 26, 2014 at 3:08
  • It seems to not work well, I didn't tried it before, some instructions offer sets different port for https and generate and set certificate for this purpose (like this one: liknk). so just forwarding the 443 port, may not be a complete solution. but I'm not sure why setting IP/port of proxy sever, is fine for https requests but when we want to make it transparent NAT table forwarding is not enough.
    – 2i3r
    Commented Feb 26, 2014 at 11:24

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .