IPtables, route traffic from local machine through proxy

DeicistDeicist Registered User regular
Hopefully Someone can help with this...

I currently have a Linux (ubuntu) web server, which needs to be able to access the web (because some of the scripts on it require access via cURL to the outside world). This server is sat behind an HTTP proxy server. Now, in the past I've been fudging the scripts manually by setting the cURL options myself.... however, I've recently realised that there should be a way of making all web traffic on this machine be routed through the proxy server by default.

However, I have no idea how to do this... anyone give me some help here?

Deicist on

Posts

  • bowenbowen How you doin'? Registered User regular
    I've done this before. It's a dick to set up.

    http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

    This is how I did it with squid I believe.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • DeicistDeicist Registered User regular
    hmm... okay, that seems to be for when you want a router to pass traffic through a proxy. Now, I assume that it's the same principal to get traffic from 'this machine' to go through the proxy without having a router in the middle, but what specifically do I need to do? Will this work (based on that page, and assuming that 201 is indeed an unused routing table):
    $IPTABLES -t mangle -A PREROUTING -i $INPUTINTERFACE -p tcp --dport 80 -j MARK --set-mark 2
    $IPTABLES -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
    echo "201   proxy" >> /etc/iproute2/rt_tables
    ip rule add fwmark 2 table proxy
    ip route add default via "192.168.250.1" table proxy
    

    $INPUTINTERFACE is a variable isn't it? Do I need to change that to an actual interface (localhost?)

    Sorry for my denseness, not really had to play with IPTables at this level before.

  • bowenbowen How you doin'? Registered User regular
    Yeah that's the general thought behind it. Whatever box has the iptables needs to be the gateway for 192.168.250.1 so that it can direct traffic to the proxy.

    Seems like you've got a basic understanding of it, about as much as I do anyways. Unfortunately the thing I used had it's own scripting language built over iptables so I didn't deal with it at a low level.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • DjeetDjeet Registered User regular
    Deicist wrote:
    $INPUTINTERFACE is a variable isn't it? Do I need to change that to an actual interface (localhost?)

    Yes, after the "-i" switch you need to specify the named interface (e.g. eth0 or eth1). I believe the name of the localhost interface is "lo" (1st 2 letters of "localhost"), but I've never used IPTables to shape traffic outbound from the host so haven't used that syntax myself.

Sign In or Register to comment.