LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-23-2008, 03:50 AM   #1
kondrara
LQ Newbie
 
Registered: Sep 2007
Posts: 25

Rep: Reputation: 15
Divertingnetwork traffic on port 80 to a proxy server running on the same host 8118.


Hi,

My requirement is to divert the network traffice coming from port 80(http) to port 8118. On port 8118 I am running a webserver.

Ideally, all the network should be routed through the webserver. Can you please tell me how this can be done with iptables?

I tried the following command.. but didn't worked.

/sbin/iptables -t nat -I PREROUTING -p tcp -s 134.122.152.213/255.255.255.0 --dport 80 -j DNAT --to-destination 134.122.152.213:8118

-R
 
Old 09-23-2008, 04:50 AM   #2
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
Your source is wrong if connections are coming from outside this machine. Try this
Code:
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination 134.122.152.213:8118
 
Old 09-23-2008, 05:38 AM   #3
kondrara
LQ Newbie
 
Registered: Sep 2007
Posts: 25

Original Poster
Rep: Reputation: 15
Hi,

But still, its not working.

I tried all possible ways. I know there might be something wrong from my end. Could you please list down the rules of iptables needed for this requirement.

The traffic on port 80 should be made to go thru the proxy server setup on the port 8118 on the same machine.

-R
Quote:
Originally Posted by datopdog View Post
Your source is wrong if connections are coming from outside this machine. Try this
Code:
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination 134.122.152.213:8118
 
Old 09-23-2008, 05:41 AM   #4
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
There are many options, so u provide the output of
Code:
iptables -vnL
iptables -t nat -vnL
netstat -ntlp
 
Old 09-23-2008, 05:53 AM   #5
kondrara
LQ Newbie
 
Registered: Sep 2007
Posts: 25

Original Poster
Rep: Reputation: 15
O/P of iptables -vnL
----------------------------------------------------------
Chain INPUT (policy ACCEPT 91737 packets, 133M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 51919 packets, 3357K bytes)
pkts bytes target prot opt in out source destination
--------------------------------------------------------------

O/P of iptables -t nat -vnL

---------------------------------------------------------------
Chain PREROUTING (policy ACCEPT 2885 packets, 358K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:134.122.152.213:8118

Chain POSTROUTING (policy ACCEPT 1436 packets, 90138 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1446 packets, 90756 bytes)
pkts bytes target prot opt in out source destination

---------------------------------------------------------------

output of netstat

-----------------------------------------------------------------
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2186/hpiod
tcp 0 0 127.0.0.1:58182 0.0.0.0:* LISTEN 2191/python
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2334/smbd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1988/portmap
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2231/vsftpd
tcp 0 0 0.0.0.0:917 0.0.0.0:* LISTEN 2007/rpc.statd
tcp 0 0 134.122.152.213:8118 0.0.0.0:* LISTEN 6604/privoxy
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 2220/xinetd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2201/cupsd
tcp 0 0 134.122.152.213:1720 0.0.0.0:* LISTEN 2846/ekiga
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2249/sendmail: acce
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2334/smbd
tcp 0 0 :::22 :::* LISTEN 2210/sshd
tcp 0 0 ::1:631 :::* LISTEN 2201/cupsd

-----------------------------------------------------------------
 
Old 09-23-2008, 06:02 AM   #6
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
The prerouting rule is not even getting hit at all, Try a redirect since it is on the same machine

Code:
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8118
 
Old 09-23-2008, 06:05 AM   #7
kondrara
LQ Newbie
 
Registered: Sep 2007
Posts: 25

Original Poster
Rep: Reputation: 15
Even,

its not being hit. Do we need to initiate any thing for the rules to be hit.


Code:
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8118
[/QUOTE]
 
Old 09-23-2008, 06:06 AM   #8
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
Of course u need to open your browser and point to the ip address.
 
Old 09-23-2008, 06:13 AM   #9
kondrara
LQ Newbie
 
Registered: Sep 2007
Posts: 25

Original Poster
Rep: Reputation: 15
Indeed, I am doing that. I mean any other settings. Obviously I am browsing.

-R
Quote:
Originally Posted by datopdog View Post
Of course u need to open your browser and point to the ip address.
 
Old 09-23-2008, 06:16 AM   #10
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
Okay, what happens when you browse ? Maybe i misunderstood what you want to achieve here.

From what i figured out you what to run a web server using privoxy which is running on port 8118 but of course u want people to access this site without having to add the port to the url is that correct ?
 
Old 09-23-2008, 06:21 AM   #11
kondrara
LQ Newbie
 
Registered: Sep 2007
Posts: 25

Original Poster
Rep: Reputation: 15
I just want the traffic to be diverted to privoxy, then based on the url privoxy should load an application of my interest.

This should be a transperant web server, which should give control to privoxy when the traffic is going out of the machine. It doesn't matter whether the incoming traffic should reach or not.

Only the outgoing traffic on port 80 should be redirected to privoxy 's 8118 port

Hope you understood what I want. I am struggling to set a rule with iptables from past 2 days.. its not working somehow.

-R
 
Old 09-23-2008, 06:26 AM   #12
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
Do u mean transparent proxy or transparent website ?
 
Old 09-23-2008, 06:30 AM   #13
kondrara
LQ Newbie
 
Registered: Sep 2007
Posts: 25

Original Poster
Rep: Reputation: 15
transparent proxy. My requirement is to use privoxy and divert the http traffice on port 80 to privoxy's port 8118
 
Old 09-23-2008, 06:32 AM   #14
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
for the transparent proxy all u need is
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8118
And privoxy needs to be configured to accept intercepted traffic.
 
Old 09-23-2008, 06:42 AM   #15
kondrara
LQ Newbie
 
Registered: Sep 2007
Posts: 25

Original Poster
Rep: Reputation: 15
Thanks,

I configures intercepted traffic.

Could please tell me what needs to be done for this.

--This I have done
If you don't trust your clients and want to force them to use Privoxy, enable this option and configure your packet filter to redirect outgoing HTTP connections into Privoxy.
-This I have done.

But even after enabling intercepted traffic, my redirect rule is still not working.


-HOW TO DO THIS?
Make sure that Privoxy's own requests aren't redirected as well. Additionally take care that Privoxy can't intentionally connect to itself, otherwise you could run into redirection loops if Privoxy's listening port is reachable by the outside or an attacker has access to the pages you visit.
-HOW TO DO THIS?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SNMP MRTG RRDTOOL Configu of CPU memory Disk Port data traffic doc traffic manish_2479 Linux - Networking 1 06-19-2007 07:08 AM
Running server on an old computer to host a website Darthomir Linux - Networking 6 03-31-2006 06:57 PM
how can I force port 80 to a proxy server using iptables scheney Linux - Security 1 10-21-2005 01:25 PM
Proxy server flodded by requests on port 53 & port 25 saurabh_sahni Linux - Security 5 04-26-2005 10:35 PM
Proxy server flodded by requests on port 53 & port 25 saurabh_sahni Linux - Networking 1 04-26-2005 03:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration