How to use iptables to connect proxy server

In my company, all http and https must connect to a proxy server, which means we must set proxy in our web browser.

Our department has an internal network (192.168.0.xxx). I use a Linux server as router, use iptables to setup NAT.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Now, the Linux router works well. We can set proxy to access Internet.

My question is: I want to use the Linux router to connect the proxy server, then the computers in our internal network (192.168.0.xxx) could visit Internet without setting proxy.

Is this possible?

siyuan

Posted 2013-01-31T08:51:17.347

Reputation: 93

Answers

Try this rule:

iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.0.2 -p tcp --dport 80 -j DNAT --to 192.168.0.2:3128
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d 192.168.0.2 -j SNAT --to 192.168.0.1
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.2 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

where:

192.168.0.2 - proxy server IP (Squid, etc);
192.168.0.1 - router IP (where started iptables);
192.168.0.0/24 - your local network

I could be wrong, check carefully.

ymn

Posted 2013-01-31T08:51:17.347

Reputation: 279

Without having tested it I think the solution @ymn is valid for HTTP, but I don't think you can get around specifying an equivalent line for HTTPS - indeed any such solution should throw up certificate errors etc because you are, in-effect, doing a man-in-the-middle attack on your own network.

(You may be able to get round this - to some degree - but its not a good idea as you are stripping the security SSL gives. Have a look at sslstrip - http://www.thoughtcrime.org/software/sslstrip/)

Maybe a better middle ground might be to try doing proxy autoconfiguration (WPAD with DHCP) - http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Fully_Automatically_Configuring_Browsers_for_WPAD

davidgo

Posted 2013-01-31T08:51:17.347

Reputation: 49 152

There is already a squid server on my router now. – siyuan – 2013-02-02T07:10:11.487

Thank you! There is already a squid server on my router now. Suppose my company's proxy is proxy.com:85, we setup a squid 192.168.0.5:3128. Now, we can access Internet by setting proxy as 192.168.0.5:3128 or proxy.com:85. What I want is to access Internet without setting proxy, because some program can't set proxy, such as some online update. – siyuan – 2013-02-02T07:18:51.063