Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[Solved] Minimum kernel config for iptables
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Astronome
Tux's lil' helper
Tux's lil' helper


Joined: 02 Jan 2016
Posts: 148
PostPosted: Sat Jun 18, 2016 11:20 pm    Post subject: [Solved] Minimum kernel config for iptables Reply with quote
I'm interested in setting up a transparent proxy for a single computer on my home network. The same machine will act as both the proxy and the client connecting to it. I figure I will use iptables with something like the following rule, taken from here:

Code:
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner $SQUID --dport 80 -j REDIRECT --to-port 8080


I understand that I need to configure my kernel according to this article. But do I need to follow the instructions under the "client" or "router" section? Both?

Do I really need to enable everything in that article or can I set up a simple rule like the above with less?

Last edited by Astronome on Thu Jun 23, 2016 5:48 pm; edited 1 time in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54236
Location: 56N 3W
PostPosted: Sun Jun 19, 2016 9:19 am    Post subject: Reply with quote
Astronome,

A few things.

As you are setting up a transparent proxy on a single machine, only for that single machine, you may only need the client bit of that wiki page.
NAT (Network Address Translation) is only used on routers, where one system shares an IP address among several systems, so that from upstream, the all appear to have the same IP address.

Your router does this. Your ISP will assign you a single public IP address then it will provide NAT, to your home network,

You will only use IPtables to forward some ports to squid and get the responses.
Transparent proxies are less useful than they once were. They cannot cache dynamically generated web content and the web is moving toward that more and more.

-- edit --

If you can live without the transparent bit, you don't need iptables at all.
Configure your browser to point to squid
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3135
PostPosted: Sun Jun 19, 2016 9:22 pm    Post subject: Reply with quote
Quote:
If you can live without the transparent bit, you don't need iptables at all.
And if you can't live without transparent bit, you can't have proxy and the browser on the same IP as your browser.
Why? Because if you hijack your browser's connection and direct it to the proxy without moving away from the start point, the same rule will be applied to the proxy-initiated connection.
Once proxy attempts to reach to the actual server, its connection will be hijacked too, and then directed to your proxy. Ops... You're in a loop.

You need at least some abstraction with virtual interfaces, probably a container or a VM hosting your proxy (so it has differen't IP). Maybe your router could do that for you.
Back to top
View user's profile Send private message
Astronome
Tux's lil' helper
Tux's lil' helper


Joined: 02 Jan 2016
Posts: 148
PostPosted: Thu Jun 23, 2016 5:48 pm    Post subject: Reply with quote
NeddySeagoon wrote:

NAT (Network Address Translation) is only used on routers, where one system shares an IP address among several systems, so that from upstream, the all appear to have the same IP address.

Your router does this. Your ISP will assign you a single public IP address then it will provide NAT, to your home network,


I did need to include nat table support in my kernel config in order to add iptables rules there, but I didn't need to include all the options under the router config section.

szatox wrote:

And if you can't live without transparent bit, you can't have proxy and the browser on the same IP as your browser.
Why? Because if you hijack your browser's connection and direct it to the proxy without moving away from the start point, the same rule will be applied to the proxy-initiated connection.
Once proxy attempts to reach to the actual server, its connection will be hijacked too, and then directed to your proxy. Ops... You're in a loop.


Actually, if you include `-m owner ! --uid-owner $BLAH` where $BLAH is the uid of the proxy user, you can avoid the loop and run both on the same machine.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy