[tproxy] NAT to TPROXY convertion rules

KOVACS Krisztian hidden at balabit.hu
Mon Jan 15 12:17:29 CET 2007


On Saturday 06 January 2007 15:44, zulkarnain wrote:
> I'm running tproxy with the squid server in different
> box, my topology look like this:
> [Client]-------[Squid]---[tproxy/FW]----[Web server]
> [squid]
> - tproxy patched kernel and iptables-1.3.6
> [tproxy/FW]:
> iptables -t tproxy -A PREROUTING -i eth0 -s !
> -m tcp -p tcp --dport 80 -j TPROXY
> --on-port 3128 --on-ip

  It looks like you're somewhat confused where the tproxy patches should 
go. If Squid and the firewall are on different machines, you don't have 
to use tproxy on the firewall itself but on the Squid machine. In that 
case something like the rule above should be working.

> with the config above, my squid not running well. I
> read on "Transparent Proxy with Linux and Squid
> mini-HOWTO" there are some rules I've to configure
> which is;
> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box
> -p tcp --dport 80 -j DNAT --to squid-box:3128
> iptables -t nat -A POSTROUTING -o eth0 -s
> local-network -d squid-box -j SNAT --to iptables-box
> iptables -A FORWARD -s local-network -d squid-box -i
> eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

  I guess these rules are not for the setup you've described. It seems to 
me that this would be appropriate you used something like this:

  [Client]-----[FW]------------[Web server]

  Krisztian Kovacs

More information about the tproxy mailing list