View previous topic :: View next topic |
Author |
Message |
Astronome Tux's lil' helper
Joined: 02 Jan 2016 Posts: 148
|
Posted: Sat Jun 18, 2016 11:20 pm Post subject: [Solved] Minimum kernel config for iptables |
|
|
I'm interested in setting up a transparent proxy for a single computer on my home network. The same machine will act as both the proxy and the client connecting to it. I figure I will use iptables with something like the following rule, taken from here:
Code: | iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner $SQUID --dport 80 -j REDIRECT --to-port 8080 |
I understand that I need to configure my kernel according to this article. But do I need to follow the instructions under the "client" or "router" section? Both?
Do I really need to enable everything in that article or can I set up a simple rule like the above with less?
Last edited by Astronome on Thu Jun 23, 2016 5:48 pm; edited 1 time in total |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54244 Location: 56N 3W
|
Posted: Sun Jun 19, 2016 9:19 am Post subject: |
|
|
Astronome,
A few things.
As you are setting up a transparent proxy on a single machine, only for that single machine, you may only need the client bit of that wiki page.
NAT (Network Address Translation) is only used on routers, where one system shares an IP address among several systems, so that from upstream, the all appear to have the same IP address.
Your router does this. Your ISP will assign you a single public IP address then it will provide NAT, to your home network,
You will only use IPtables to forward some ports to squid and get the responses.
Transparent proxies are less useful than they once were. They cannot cache dynamically generated web content and the web is moving toward that more and more.
-- edit --
If you can live without the transparent bit, you don't need iptables at all.
Configure your browser to point to squid _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3137
|
Posted: Sun Jun 19, 2016 9:22 pm Post subject: |
|
|
Quote: | If you can live without the transparent bit, you don't need iptables at all. | And if you can't live without transparent bit, you can't have proxy and the browser on the same IP as your browser.
Why? Because if you hijack your browser's connection and direct it to the proxy without moving away from the start point, the same rule will be applied to the proxy-initiated connection.
Once proxy attempts to reach to the actual server, its connection will be hijacked too, and then directed to your proxy. Ops... You're in a loop.
You need at least some abstraction with virtual interfaces, probably a container or a VM hosting your proxy (so it has differen't IP). Maybe your router could do that for you. |
|
Back to top |
|
|
Astronome Tux's lil' helper
Joined: 02 Jan 2016 Posts: 148
|
Posted: Thu Jun 23, 2016 5:48 pm Post subject: |
|
|
NeddySeagoon wrote: |
NAT (Network Address Translation) is only used on routers, where one system shares an IP address among several systems, so that from upstream, the all appear to have the same IP address.
Your router does this. Your ISP will assign you a single public IP address then it will provide NAT, to your home network,
|
I did need to include nat table support in my kernel config in order to add iptables rules there, but I didn't need to include all the options under the router config section.
szatox wrote: |
And if you can't live without transparent bit, you can't have proxy and the browser on the same IP as your browser.
Why? Because if you hijack your browser's connection and direct it to the proxy without moving away from the start point, the same rule will be applied to the proxy-initiated connection.
Once proxy attempts to reach to the actual server, its connection will be hijacked too, and then directed to your proxy. Ops... You're in a loop.
|
Actually, if you include `-m owner ! --uid-owner $BLAH` where $BLAH is the uid of the proxy user, you can avoid the loop and run both on the same machine. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|