LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Divertingnetwork traffic on port 80 to a proxy server running on the same host 8118. (https://www.linuxquestions.org/questions/linux-networking-3/divertingnetwork-traffic-on-port-80-to-a-proxy-server-running-on-the-same-host-8118-a-671745/)

kondrara 09-23-2008 03:50 AM

Divertingnetwork traffic on port 80 to a proxy server running on the same host 8118.
 
Hi,

My requirement is to divert the network traffice coming from port 80(http) to port 8118. On port 8118 I am running a webserver.

Ideally, all the network should be routed through the webserver. Can you please tell me how this can be done with iptables?

I tried the following command.. but didn't worked.

/sbin/iptables -t nat -I PREROUTING -p tcp -s 134.122.152.213/255.255.255.0 --dport 80 -j DNAT --to-destination 134.122.152.213:8118

-R

datopdog 09-23-2008 04:50 AM

Your source is wrong if connections are coming from outside this machine. Try this
Code:

/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination 134.122.152.213:8118

kondrara 09-23-2008 05:38 AM

Hi,

But still, its not working.

I tried all possible ways. I know there might be something wrong from my end. Could you please list down the rules of iptables needed for this requirement.

The traffic on port 80 should be made to go thru the proxy server setup on the port 8118 on the same machine.

-R
Quote:

Originally Posted by datopdog (Post 3289075)
Your source is wrong if connections are coming from outside this machine. Try this
Code:

/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination 134.122.152.213:8118


datopdog 09-23-2008 05:41 AM

There are many options, so u provide the output of
Code:

iptables -vnL
iptables -t nat -vnL
netstat -ntlp


kondrara 09-23-2008 05:53 AM

O/P of iptables -vnL
----------------------------------------------------------
Chain INPUT (policy ACCEPT 91737 packets, 133M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 51919 packets, 3357K bytes)
pkts bytes target prot opt in out source destination
--------------------------------------------------------------

O/P of iptables -t nat -vnL

---------------------------------------------------------------
Chain PREROUTING (policy ACCEPT 2885 packets, 358K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:134.122.152.213:8118

Chain POSTROUTING (policy ACCEPT 1436 packets, 90138 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1446 packets, 90756 bytes)
pkts bytes target prot opt in out source destination

---------------------------------------------------------------

output of netstat

-----------------------------------------------------------------
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2186/hpiod
tcp 0 0 127.0.0.1:58182 0.0.0.0:* LISTEN 2191/python
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2334/smbd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1988/portmap
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2231/vsftpd
tcp 0 0 0.0.0.0:917 0.0.0.0:* LISTEN 2007/rpc.statd
tcp 0 0 134.122.152.213:8118 0.0.0.0:* LISTEN 6604/privoxy
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 2220/xinetd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2201/cupsd
tcp 0 0 134.122.152.213:1720 0.0.0.0:* LISTEN 2846/ekiga
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2249/sendmail: acce
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2334/smbd
tcp 0 0 :::22 :::* LISTEN 2210/sshd
tcp 0 0 ::1:631 :::* LISTEN 2201/cupsd

-----------------------------------------------------------------

datopdog 09-23-2008 06:02 AM

The prerouting rule is not even getting hit at all, Try a redirect since it is on the same machine

Code:

iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8118

kondrara 09-23-2008 06:05 AM

Even,

its not being hit. Do we need to initiate any thing for the rules to be hit.


Code:

iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8118
[/QUOTE]

datopdog 09-23-2008 06:06 AM

Of course u need to open your browser and point to the ip address.

kondrara 09-23-2008 06:13 AM

Indeed, I am doing that. I mean any other settings. Obviously I am browsing.

-R
Quote:

Originally Posted by datopdog (Post 3289129)
Of course u need to open your browser and point to the ip address.


datopdog 09-23-2008 06:16 AM

Okay, what happens when you browse ? Maybe i misunderstood what you want to achieve here.

From what i figured out you what to run a web server using privoxy which is running on port 8118 but of course u want people to access this site without having to add the port to the url is that correct ?

kondrara 09-23-2008 06:21 AM

I just want the traffic to be diverted to privoxy, then based on the url privoxy should load an application of my interest.

This should be a transperant web server, which should give control to privoxy when the traffic is going out of the machine. It doesn't matter whether the incoming traffic should reach or not.

Only the outgoing traffic on port 80 should be redirected to privoxy 's 8118 port

Hope you understood what I want. I am struggling to set a rule with iptables from past 2 days.. its not working somehow.

-R

datopdog 09-23-2008 06:26 AM

Do u mean transparent proxy or transparent website ?

kondrara 09-23-2008 06:30 AM

transparent proxy. My requirement is to use privoxy and divert the http traffice on port 80 to privoxy's port 8118

datopdog 09-23-2008 06:32 AM

for the transparent proxy all u need is
Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8118
And privoxy needs to be configured to accept intercepted traffic.

kondrara 09-23-2008 06:42 AM

Thanks,

I configures intercepted traffic.

Could please tell me what needs to be done for this.

--This I have done
If you don't trust your clients and want to force them to use Privoxy, enable this option and configure your packet filter to redirect outgoing HTTP connections into Privoxy.
-This I have done.

But even after enabling intercepted traffic, my redirect rule is still not working.


-HOW TO DO THIS?
Make sure that Privoxy's own requests aren't redirected as well. Additionally take care that Privoxy can't intentionally connect to itself, otherwise you could run into redirection loops if Privoxy's listening port is reachable by the outside or an attacker has access to the pages you visit.
-HOW TO DO THIS?


All times are GMT -5. The time now is 06:27 AM.