L
L
lohmag2014-09-19 12:02:28
linux
lohmag, 2014-09-19 12:02:28

Tproxy and FORWARD?

You need to set up a completely transparent proxy to filter some urls. I did it as written in the manual, it seems to work:
ip -f inet rule add fwmark 1 lookup 100
ip -f inet route add local default dev eth0 table 100
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK -- set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy -mark 0x1/0x1 --on-port 3129
The problem is that I still have this server as a firewall, which blocks certain ip in the FORWARD chain,
and the http traffic that goes to squid using tproxy no longer passes through FORWARD.
How can this be implemented?
Tproxy doesn't want to go into POSTROUTING
TPROXY target: used from hooks POSTROUTING, but only usable from PREROUTING

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
Valentine, 2014-09-19
@lohmag

Everything comes from a misunderstanding of the work of iptables) Namely, that only transit traffic goes through the FORWARD chain, while you want to process local traffic (does it go to a local proxy?) The conclusions are as follows: you will also have to filter INPUT (well, or OUTPUT ). Look carefully at the order of the packages.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question