Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 10-14-2009, 04:07 PM   #1
LQ Newbie
Registered: Oct 2009
Posts: 2

Rep: Reputation: 0
Question about IPTABLES Configuration / Squid Proxy


Here is quick info on my environment -
I have a CentOS 5.3 box server as firewall/gateway/router.
It has two interfaces
eth0 - public internetIP
eth1 - internal network IP (

The server hands out DHCP to all clients, and the server is the gateway.

I have installed squid proxy, and configured it to allow the local subnet, and added transparent option.

I added this to my iptables
# http proxy redirect

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination

The transparent caching now appears to work. However I came across this article which says this: "WARNING: This method of interception is not recommended. There are other methods such as Proxy.PAC and http_proxy environment variable which are as effective and less intrusive when multiple clients are involved."

So I am trying to find the better way to do this. This is what I have come up with so far but does not seem to be working:
-A PREROUTING -i eth0 -p tcp --dport 80 -j ACCEPT
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

Is this correct? Does anyone have better suggestions on how to do this?


Last edited by andy.schmid; 10-14-2009 at 04:08 PM.
Old 10-15-2009, 10:31 AM   #2
LQ Newbie
Registered: Jan 2008
Posts: 9

Rep: Reputation: 0

You're mixing two things. NAT interception is something which allows you transparent proxying _without_ browser configuration.

WPAC and other stuff feeds proxy config to the browsers, and is not supported by all browsers.

So there's nothing wrong in the solution you used in the first place.

Old 10-15-2009, 10:37 AM   #3
LQ Newbie
Registered: Oct 2009
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks, I understand now how I confused the two.

Now, just for my knowledge, what would be the difference between using the DNAT and the REDIRECT for interception?

Is one better then the other? Or are they for different applicable situations?
Old 10-15-2009, 10:54 AM   #4
LQ Newbie
Registered: Jan 2008
Posts: 9

Rep: Reputation: 0
Redirect won't work in this case, cuz it changes destination address in the packet, which is not the point in this case
Old 10-15-2009, 11:14 AM   #5
Senior Member
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Now, just for my knowledge, what would be the difference between using the DNAT and the REDIRECT for interception?
This is from the iptables man page:
This target is only valid in the nat table, in the PREROUTING and OUT-
PUT chains, and user-defined chains which are only called from those
chains. It redirects the packet to the machine itself by changing the
destination IP to the primary address of the incoming interface
(locally-generated packets are mapped to the address).
Therefore, the following two rules are equivalent:

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128

Last edited by Berhanie; 10-15-2009 at 11:17 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
squid proxy server configuration & distribution of internet without proxy gaurav_gupta082 Linux From Scratch 2 07-31-2010 11:25 AM
squid proxy-only configuration SPEEDEX Linux - Server 0 06-18-2009 03:38 AM
Squid configuration question. Client => HTTPS => proxy => HTTP => webserver newhere Fedora 5 02-21-2009 01:33 PM
squid proxy with iptables ssilayaraja Linux - Networking 7 04-14-2008 12:15 AM
Squid proxy configuration mukeshrathod15 Linux - Networking 2 01-29-2007 11:33 PM

All times are GMT -5. The time now is 09:09 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration