I have set up a wireless access point on my Debian 8 laptop following this and this tutorial. When redirecting iptables to port 9040 it works but changing the port to 8118 which is the one privoxy listens to, it doesn't work and I can't access any website from my clients. Do I have to activate/specify any extra options so that privoxy would accept the requests? I can set my browser to work with privoxy why can't I do the same there? I have set my privoxy to forward the traffic to tor and I want my clients to be able to access the internet through tor. how can i achieve this?

my /etc/iptables.ipv4.nat file:

# Generated by iptables-save v1.4.21 on Mon Jan 12 20:42:04 2015
-A PREROUTING -i wlan0 -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 22
-A PREROUTING -i wlan0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -i wlan0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-port 9040
# Completed on Mon Jan 12 20:42:04 2015
# Generated by iptables-save v1.4.21 on Mon Jan 12 20:42:04 2015
:INPUT ACCEPT [24351:18113815]
:OUTPUT ACCEPT [22600:14890944]
# Completed on Mon Jan 12 20:42:04 2015
  • 111
  • 4

1 Answers1


I guess that you are not removing your former iptables rule redirecting the traffic to port 9040, thus the new rule is not really affected, because the older rule is first.

Examine you configuration:

iptables -t nat -L

I assume that the rule redirecting to port 9040 is first than the new you've added redirecting to port 8118, thus this late rule has no use.

To correct this, remove your old rule(this will delete the 3rd rule on the prerouting chain in the nat table, it should be the 3rd on according to you post):

iptables -t nat -D PREROUTING 3

Add the new rule:

iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-port 8118

you can also flush all the rules and the run again your script after you've updated it.

  • 447
  • 1
  • 6
  • 16
  • I tried this but it seems I need to configure privoxy. Also privoxy is listening on `localhost` port `8118`. This is what `netstat` shows: `tcp6 0 0 ::1:8118 :::* LISTEN 802/privoxy` – moki Jan 13 '15 at 18:45
  • maybe DNAT also? --to-destination Just make the privoxy listening on, you may want to add some extra fw rules to that though. – Matías Jan 14 '15 at 16:09