I have slackware 11.0 with tinyproxy and Dansguardian working, some of my 'smart' clients refused to use the webproxy, so I have try all the How-to I have found to make my server work as a transparent proxy, unfortanetely none of the iptables rules I have applied seems to work

I'm very desperated since I have to stop some users to continue bypassing the webproxy and navigate where they want to.

I already have apply this iptables rules, none of them work:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s eth0
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Those didn't worked, I also apply the following rules which also didn't work either;

iptables -t nat -A PREROUTING -p tcp -s eth0 --destination-port 80 -j RETURN
iptables -t nat -A PREROUTING -p tcp -s eth0 --destination-port 80 -j REDIRECT --to-ports 8080

As I said I have use those rules separately and none of them worked, is there any other rule I could apply so my transparent proxy could work?

Remember that your proxy needs to be compiled with transparent support.

8080 is likely the port you want to redirect to... the proxy usually listens on port 3128 but only accepts connections from DansGuardian via localhost. So your clients should be connecting to DansGuardian via TCP/8080.

This works for me:

Hi, I also have the nearly the same environment, but I use Squid Proxy + Dansguardian.

Thanks for your response both, I'm going to try the 2 rules you provide to me just to see if this work cause I have tested a lot of rules and none work.

I did compile tinyproxy with the transparent proxy enable option, in fact if I want to Bind to one of my eth in tinyproxy logs I get the message 'could not apply Bind Address runing proxy as transparent, Bind Address ignore' so if I get this message I supposed tinyproxy is running as transparent on localhost 127.0.0.1, Dansguardian connect to tinyproxy trought 3128 port, but I need clients to connect to Dansguardian port 8080 not my tinyproxy port....

Right now I have it this way in localhost the only port open is 3128 from tinyproxy, in eth1 the only port open are 8080 from Dansguardian that connect to Tinyproxy and port 80 from Apache.. (I need Apache to send the error webpage from Dansguardian)

I have it this way...

eth0 connect directly to internet
eth1 local internet where Dansguardian is running.

Right now my rc.firewall have available the forward mangle option, so that's why my clients are able to bypass the webproxy if they want to, in case none of the rules I apply work, is there a possibility I could instead of forward the internet to my local network I could forward it only to port 8080 where Dansguardian is running?

In the next line::

$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp \
! -d 192.168.1.254 --dport 80 -j REDIRECT --to-port 8080

Can someone explain to me what does it means $INT_IF is a variable that saves what?? eth0? eth1? my local IP???

The same in the next rule what does -i $INTNIC means?? my eth1 IP where's Dansguardian is running???

If this is the case I should try to use this 2 lines... to see which one work:

$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp \
! -d 192.168.1.0/24 --dport 80 -j REDIRECT --to-port 8080

where 192.168.1.0/24 = Are my local network IP range.

And :

$IPT -t nat -A PREROUTING -s 192.168.0.1/24 -p tcp --dport 80 -i eth1 -j REDIRECT --to 8080

INT_IF = Internal Interface = normally is the NIC that connect to your local LAN
INTNIC = Internal NIC = same as above

I forgot which port I use for dansguardian, and which port I use for squid. And obviously the TRANSPARENT_PROXY_PORT is the dansguardian port (of course, if you are running a proxy + dansguardian).

How about if you only run tiny proxy without dansguardian? Will the rules works?
Maybe you can have a look at this:
http://dansguardian.org/downloads/DGandTransparent.txt

I'd think that your iptables rules are OK by the looks of it, but maybe you can get some more inspiration by reading the article on tinyproxy/dansguardian I wrote a while ago (focuses on transparent proxying): http://alien.slackbook.org/dokuwiki/...lackware:proxy

Cheers, Eric

Thanks Alien I really appreciate all your online tutorial they have helped me a lot in some issues I have before with Slackware, in fact to install tinyproxy and Dansguardian I use to followed your online tutorial, everything is working except the transparent proxy part, I'm going to be able to try again tomorrow with the rules people here provide to me, cause the transparent proxy it's at my work now.

I use tinyproxy because Squid have never worked for me under slackware, it doesn't matter if I download some Squid package from linuxpackages or slacky or even compile it myself from source, when I run the daemon it said-

Squid Started -

No error, no logs nothing, and when I nmap my localhost I don't see any 3128 port open, and when I 'ps aux | grep squid' nothing is running, this have happend to me in slack 10, 11 and 12. So I give up on Squid and try tinyproxy the only one that really worked for me, but I need this transparent proxy to work, in case none of the above helped out don't know the reason why, if there where a way I could ip_forward to port 8080 (where dansguardian listen on) instead of ip_forward to my LAN I will really appreciate it.