[SOLVED] How to redirect local port 80/443 traffic for other users on same machine

dalacor · 02-28-2024, 09:33 AM

This should be simple, but I can't see how you actually achieve this.

I have E2guardian Proxy Server installed on Slackware. I have transparent and explicit proxy setup in the firewall rules as follows:

Code:

# TCP Ports 80 and 443 Transparent Proxy redirect to E2guardian Proxy Server

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 8081
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-ports 8443

# TCP Port 80 Linux and E2guardian HTTP Internet Access

iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

# TCP Port 443 Linux and E2guardian HTTPS Internet Access

iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT

# TCP Port 8081 E2guardian Explicit Internet Access - No transparent Proxy

iptables -A INPUT -i eth1 -p tcp --dport 8081 -m conntrack --ctstate NEW -j ACCEPT

# TCP Port 8443 Transparent Proxy through E2guardian

iptables -A INPUT -i eth1 -p tcp --dport 8443 -m conntrack --ctstate NEW -j ACCEPT

So all traffic on Internal lan connects to the proxy server either explicitly using port 8081 or transparently using port 8443. E2guardian proxy server is able to connect to the Internet on the allowed outbound ports 80/443. So the computers behind the proxy server are filtered perfectly.

Problem is, the Slackware system that E2guardian itself is installed on, is not going through the proxy server, so I can't see what websites the Slackware system itself connects to!

I know that I need to change coding below:

Code:


# TCP Port 80 Linux and E2guardian HTTP Internet Access

iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

# TCP Port 443 Linux and E2guardian HTTPS Internet Access

iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT

to use this so as to only allow the user e2guardian to connect to the Internet:

Code:

# TCP Port 80 Linux and E2guardian HTTP Internet Access

iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m owner --uid-owner e2guardian -m conntrack --ctstate NEW -j ACCEPT

# TCP Port 443 Linux and E2guardian HTTPS Internet Access

iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m owner --uid-owner e2guardian -m conntrack --ctstate NEW -j ACCEPT

So restricting internet out access to E2guardian is simple. But I still can't see how to redirect port 80/443 traffic from other users on the same Slackware system to go to E2guardian service itself. Prerouting is not right as the traffic is already on Slackware - not coming into the network interface.

I am sure it's very simple, but I can't see what one does to redirect other users internet traffic to the proxy service on the same machine.

dalacor · 02-29-2024, 02:48 AM

I have moved this post to the networking thread, as I have just realised this is in the wrong thread.

viel · 02-29-2024, 03:00 AM

Hi,

From mi little knowledge i think it is not trivial.

So seems similar to redirect all traffic through tor, but in that case to E2guardian, u want a machine that route all traffic to E2Guardian, the machine included.

The solution will be very similar like route all through tor, the machine traffic included.

Iptables act when find the fist match rule, so put before "only allow the user e2guardian to connect to the Internet" and after this redirect all the normal output.

Something like,

E2Guardian port 80 ---> to internet
Normal port 80 --> to highest port
highest port to E2Guardian.

I do not feel trained to write the rules directly my knowledge does not give for more.

Some search on internet will point you on the right way.

Hope that helps.

Edited: ops to late.

Viel.

dalacor · 03-12-2024, 05:23 AM

I have managed to solve this problem. The relevant rules are as required:

Code:

# TCP Ports 80 and 443 Transparent Proxy redirect to E2guardian Proxy Server

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 8081
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-ports 8443

# TCP Port 80 Linux and E2guardian HTTP Internet Access

iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m owner --uid-owner e2guardian -m conntrack --ctstate NEW -j ACCEPT

# TCP Port 443 Linux and E2guardian HTTPS Internet Access

iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m owner --uid-owner e2guardian -m conntrack --ctstate NEW -j ACCEPT

# TCP Port 8081 E2guardian Explicit Internet Access - No transparent Proxy

iptables -A INPUT -i eth1 -p tcp --dport 8081 -m conntrack --ctstate NEW -j ACCEPT

# TCP Port 8443 Transparent Proxy through E2guardian

iptables -A INPUT -i eth1 -p tcp --dport 8443 -m conntrack --ctstate NEW -j ACCEPT

I have just added the following rules below

# Redirect local Slackware HTTP (port 80) traffic to E2guardian Service

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner e2guardian -j DNAT --to-destination $Slackware:8081
iptables -A OUTPUT -o eth0 -p tcp --dport 8081 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i lo -p tcp --dport 8081 -m conntrack --ctstate NEW -j ACCEPT

# Redirect local Slackware HTTPS (port 443) traffic to E2guardian Service
iptables -t nat -A OUTPUT -p tcp --dport 443 -m owner ! --uid-owner e2guardian -j DNAT --to-destination $Slackware:8443
iptables -A OUTPUT -o eth0 -p tcp --dport 8443 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i lo -p tcp --dport 8443 -m conntrack --ctstate NEW -j ACCEPT

So essentially you reroute ports to IP address of internal nic interface. This part was easy to sort. The next part it took a while to figure out that Linux defaults to using the eth0 IP address as the address to send from - which is why the redirected traffic was coming from eth0 even though it originated on the actual system. So you have to allow Output on eth0 for ports 8081 and 8443. Then you have to allow input local traffic on those ports otherwise the firewall blocks the outgoing and incoming on those interfaces - even though it's all on the same system and not actually being sent out to another pc. Tested and works perfectly.