iptables: route packets to example.com via public proxy
Clash Royale CLAN TAG#URR8PPP
1
I want to access certain websites via a public proxy and I can't seem to get it right using iptables. Let's say I want to access example.com having ip address 1.2.3.4 via a public proxy at 5.6.7.8:8080. What I do is:
iptables -t nat -A PREROUTING --dst 1.2.3.0/24 -p tcp --dport 80 -j DNAT --to-destination 5.6.7.8:8080
iptables -t nat -A POSTROUTING --dst 5.6.7.8 -p tcp --dport 8080 -j SNAT --to-source 1.2.3.4:80
iptables -t nat -A OUTPUT --dst 1.2.3.0/24 -p tcp --dport 80 -j DNAT --to-destination 5.6.7.8:8080
But then I can't load the webpage at all (as if the proxy is not reachable, but it is, because I test it by setting it in the browser's proxy settings when no routing rules are set).
What am I doing wrong?
networking iptables routing proxy
asked Jan 29 '15 at 18:24
Aayla SecuraAayla Secura
1264
add a comment |
1
I want to access certain websites via a public proxy and I can't seem to get it right using iptables. Let's say I want to access example.com having ip address 1.2.3.4 via a public proxy at 5.6.7.8:8080. What I do is:
iptables -t nat -A PREROUTING --dst 1.2.3.0/24 -p tcp --dport 80 -j DNAT --to-destination 5.6.7.8:8080
iptables -t nat -A POSTROUTING --dst 5.6.7.8 -p tcp --dport 8080 -j SNAT --to-source 1.2.3.4:80
iptables -t nat -A OUTPUT --dst 1.2.3.0/24 -p tcp --dport 80 -j DNAT --to-destination 5.6.7.8:8080
But then I can't load the webpage at all (as if the proxy is not reachable, but it is, because I test it by setting it in the browser's proxy settings when no routing rules are set).
What am I doing wrong?
networking iptables routing proxy
asked Jan 29 '15 at 18:24
Aayla SecuraAayla Secura
1264
add a comment |
1
1
1
I want to access certain websites via a public proxy and I can't seem to get it right using iptables. Let's say I want to access example.com having ip address 1.2.3.4 via a public proxy at 5.6.7.8:8080. What I do is:
iptables -t nat -A PREROUTING --dst 1.2.3.0/24 -p tcp --dport 80 -j DNAT --to-destination 5.6.7.8:8080
iptables -t nat -A POSTROUTING --dst 5.6.7.8 -p tcp --dport 8080 -j SNAT --to-source 1.2.3.4:80
iptables -t nat -A OUTPUT --dst 1.2.3.0/24 -p tcp --dport 80 -j DNAT --to-destination 5.6.7.8:8080
But then I can't load the webpage at all (as if the proxy is not reachable, but it is, because I test it by setting it in the browser's proxy settings when no routing rules are set).
What am I doing wrong?
networking iptables routing proxy
asked Jan 29 '15 at 18:24
Aayla SecuraAayla Secura
1264
I want to access certain websites via a public proxy and I can't seem to get it right using iptables. Let's say I want to access example.com having ip address 1.2.3.4 via a public proxy at 5.6.7.8:8080. What I do is:
iptables -t nat -A PREROUTING --dst 1.2.3.0/24 -p tcp --dport 80 -j DNAT --to-destination 5.6.7.8:8080
iptables -t nat -A POSTROUTING --dst 5.6.7.8 -p tcp --dport 8080 -j SNAT --to-source 1.2.3.4:80
iptables -t nat -A OUTPUT --dst 1.2.3.0/24 -p tcp --dport 80 -j DNAT --to-destination 5.6.7.8:8080
But then I can't load the webpage at all (as if the proxy is not reachable, but it is, because I test it by setting it in the browser's proxy settings when no routing rules are set).
What am I doing wrong?
networking iptables routing proxy
networking iptables routing proxy
asked Jan 29 '15 at 18:24
Aayla SecuraAayla Secura
1264
asked Jan 29 '15 at 18:24
Aayla SecuraAayla Secura
1264
asked Jan 29 '15 at 18:24
Aayla SecuraAayla Secura
1264
asked Jan 29 '15 at 18:24
Aayla SecuraAayla Secura
1264
asked Jan 29 '15 at 18:24
Aayla SecuraAayla Secura
1264
1264
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
0
First thing is to enable IP forwarding using:
echo "1" > /proc/sys/net/ipv4/ip_forward
Then add pre-routing rule using (I think you dont need to mention whole 1.2.3.0/24 network):
iptables -t nat -A PREROUTING --dst 1.2.3.4 -p tcp --dport 80 -j DNAT --to-destination 5.6.7.8:8080
Add post-routing rule using:
iptables -t nat -A POSTROUTING -j MASQUERADE
answered Jan 30 '15 at 5:58
arshanarshan
175111
Thank you for your reply! I had indeed forgotten to enable ip forward, but even after doing so, it doesn't work: Adding the two rules you suggested does not go through the proxy (I tried using wtfismyip.com as the example.com and I can see my real public IP). Adding the OUTPUT rule I originally had, gets me back to where I was (I cannot connect at all) Replacing the PREROUTING with OUTPUT, simply loads the default page of the proxy server. I'm a bit confused as to which rule applies to which packet in my case... I want to stress that both target and proxy ip addresses here are external.
– Aayla Secura
Jan 31 '15 at 11:25
My first iptables rule translates the destination IP address of the packet from 1.2.3.4 to 5.6.7.8 and port from 80 to 8080. The second rules translates the source IP address of packet to the outbound interface of your linux machine.
– arshan
Feb 3 '15 at 10:11
Thanks, I see, this is what I thought as well. But just these two rules do not make any apparent change (I still see my real IP address), so something must be missing...
– Aayla Secura
Feb 4 '15 at 15:08
After reading blog.webernetz.net/2014/01/22/… you can see that the packets must be forwarded to proxy server (i guess its working well in our case). Are you sure that proxy server is working as it should be?
– arshan
Feb 4 '15 at 18:43
Thank you for your reply, the blog post clears some things up. I figured out why no change to the packets was happening: as explained here: askubuntu.com/questions/280948/… , I need to use the OUTPUT chain, instead of PREROUTING, since iptables is running on my machine, the same machine as the web browser establishing connection to 1.2.3.4. With the OUTPUT rule I am being redirected to the proxy server (which works fine), but I am getting it's / page (login) rather than the requested site (to be continued in the following post)
– Aayla Secura
Feb 5 '15 at 19:58
|
show 1 more comment
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f181854%2fiptables-route-packets-to-example-com-via-public-proxy%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
0
First thing is to enable IP forwarding using:
echo "1" > /proc/sys/net/ipv4/ip_forward
Then add pre-routing rule using (I think you dont need to mention whole 1.2.3.0/24 network):
iptables -t nat -A PREROUTING --dst 1.2.3.4 -p tcp --dport 80 -j DNAT --to-destination 5.6.7.8:8080
Add post-routing rule using:
iptables -t nat -A POSTROUTING -j MASQUERADE
answered Jan 30 '15 at 5:58
arshanarshan
175111
Thank you for your reply! I had indeed forgotten to enable ip forward, but even after doing so, it doesn't work: Adding the two rules you suggested does not go through the proxy (I tried using wtfismyip.com as the example.com and I can see my real public IP). Adding the OUTPUT rule I originally had, gets me back to where I was (I cannot connect at all) Replacing the PREROUTING with OUTPUT, simply loads the default page of the proxy server. I'm a bit confused as to which rule applies to which packet in my case... I want to stress that both target and proxy ip addresses here are external.
– Aayla Secura
Jan 31 '15 at 11:25
My first iptables rule translates the destination IP address of the packet from 1.2.3.4 to 5.6.7.8 and port from 80 to 8080. The second rules translates the source IP address of packet to the outbound interface of your linux machine.
– arshan
Feb 3 '15 at 10:11
Thanks, I see, this is what I thought as well. But just these two rules do not make any apparent change (I still see my real IP address), so something must be missing...
– Aayla Secura
Feb 4 '15 at 15:08
After reading blog.webernetz.net/2014/01/22/… you can see that the packets must be forwarded to proxy server (i guess its working well in our case). Are you sure that proxy server is working as it should be?
– arshan
Feb 4 '15 at 18:43
Thank you for your reply, the blog post clears some things up. I figured out why no change to the packets was happening: as explained here: askubuntu.com/questions/280948/… , I need to use the OUTPUT chain, instead of PREROUTING, since iptables is running on my machine, the same machine as the web browser establishing connection to 1.2.3.4. With the OUTPUT rule I am being redirected to the proxy server (which works fine), but I am getting it's / page (login) rather than the requested site (to be continued in the following post)
– Aayla Secura
Feb 5 '15 at 19:58
|
show 1 more comment
0
First thing is to enable IP forwarding using:
echo "1" > /proc/sys/net/ipv4/ip_forward
Then add pre-routing rule using (I think you dont need to mention whole 1.2.3.0/24 network):
iptables -t nat -A PREROUTING --dst 1.2.3.4 -p tcp --dport 80 -j DNAT --to-destination 5.6.7.8:8080
Add post-routing rule using:
iptables -t nat -A POSTROUTING -j MASQUERADE
answered Jan 30 '15 at 5:58
arshanarshan
175111
Thank you for your reply! I had indeed forgotten to enable ip forward, but even after doing so, it doesn't work: Adding the two rules you suggested does not go through the proxy (I tried using wtfismyip.com as the example.com and I can see my real public IP). Adding the OUTPUT rule I originally had, gets me back to where I was (I cannot connect at all) Replacing the PREROUTING with OUTPUT, simply loads the default page of the proxy server. I'm a bit confused as to which rule applies to which packet in my case... I want to stress that both target and proxy ip addresses here are external.
– Aayla Secura
Jan 31 '15 at 11:25
My first iptables rule translates the destination IP address of the packet from 1.2.3.4 to 5.6.7.8 and port from 80 to 8080. The second rules translates the source IP address of packet to the outbound interface of your linux machine.
– arshan
Feb 3 '15 at 10:11
Thanks, I see, this is what I thought as well. But just these two rules do not make any apparent change (I still see my real IP address), so something must be missing...
– Aayla Secura
Feb 4 '15 at 15:08
After reading blog.webernetz.net/2014/01/22/… you can see that the packets must be forwarded to proxy server (i guess its working well in our case). Are you sure that proxy server is working as it should be?
– arshan
Feb 4 '15 at 18:43
Thank you for your reply, the blog post clears some things up. I figured out why no change to the packets was happening: as explained here: askubuntu.com/questions/280948/… , I need to use the OUTPUT chain, instead of PREROUTING, since iptables is running on my machine, the same machine as the web browser establishing connection to 1.2.3.4. With the OUTPUT rule I am being redirected to the proxy server (which works fine), but I am getting it's / page (login) rather than the requested site (to be continued in the following post)
– Aayla Secura
Feb 5 '15 at 19:58
|
show 1 more comment
0
0
0
First thing is to enable IP forwarding using:
echo "1" > /proc/sys/net/ipv4/ip_forward
Then add pre-routing rule using (I think you dont need to mention whole 1.2.3.0/24 network):
iptables -t nat -A PREROUTING --dst 1.2.3.4 -p tcp --dport 80 -j DNAT --to-destination 5.6.7.8:8080
Add post-routing rule using:
iptables -t nat -A POSTROUTING -j MASQUERADE
answered Jan 30 '15 at 5:58
arshanarshan
175111
First thing is to enable IP forwarding using:
echo "1" > /proc/sys/net/ipv4/ip_forward
Then add pre-routing rule using (I think you dont need to mention whole 1.2.3.0/24 network):
iptables -t nat -A PREROUTING --dst 1.2.3.4 -p tcp --dport 80 -j DNAT --to-destination 5.6.7.8:8080
Add post-routing rule using:
iptables -t nat -A POSTROUTING -j MASQUERADE
answered Jan 30 '15 at 5:58
arshanarshan
175111
answered Jan 30 '15 at 5:58
arshanarshan
175111
answered Jan 30 '15 at 5:58
arshanarshan
175111
answered Jan 30 '15 at 5:58
arshanarshan
175111
175111
Thank you for your reply! I had indeed forgotten to enable ip forward, but even after doing so, it doesn't work: Adding the two rules you suggested does not go through the proxy (I tried using wtfismyip.com as the example.com and I can see my real public IP). Adding the OUTPUT rule I originally had, gets me back to where I was (I cannot connect at all) Replacing the PREROUTING with OUTPUT, simply loads the default page of the proxy server. I'm a bit confused as to which rule applies to which packet in my case... I want to stress that both target and proxy ip addresses here are external.
– Aayla Secura
Jan 31 '15 at 11:25
My first iptables rule translates the destination IP address of the packet from 1.2.3.4 to 5.6.7.8 and port from 80 to 8080. The second rules translates the source IP address of packet to the outbound interface of your linux machine.
– arshan
Feb 3 '15 at 10:11
Thanks, I see, this is what I thought as well. But just these two rules do not make any apparent change (I still see my real IP address), so something must be missing...
– Aayla Secura
Feb 4 '15 at 15:08
After reading blog.webernetz.net/2014/01/22/… you can see that the packets must be forwarded to proxy server (i guess its working well in our case). Are you sure that proxy server is working as it should be?
– arshan
Feb 4 '15 at 18:43
Thank you for your reply, the blog post clears some things up. I figured out why no change to the packets was happening: as explained here: askubuntu.com/questions/280948/… , I need to use the OUTPUT chain, instead of PREROUTING, since iptables is running on my machine, the same machine as the web browser establishing connection to 1.2.3.4. With the OUTPUT rule I am being redirected to the proxy server (which works fine), but I am getting it's / page (login) rather than the requested site (to be continued in the following post)
– Aayla Secura
Feb 5 '15 at 19:58
|
show 1 more comment
Thank you for your reply! I had indeed forgotten to enable ip forward, but even after doing so, it doesn't work: Adding the two rules you suggested does not go through the proxy (I tried using wtfismyip.com as the example.com and I can see my real public IP). Adding the OUTPUT rule I originally had, gets me back to where I was (I cannot connect at all) Replacing the PREROUTING with OUTPUT, simply loads the default page of the proxy server. I'm a bit confused as to which rule applies to which packet in my case... I want to stress that both target and proxy ip addresses here are external.
– Aayla Secura
Jan 31 '15 at 11:25
My first iptables rule translates the destination IP address of the packet from 1.2.3.4 to 5.6.7.8 and port from 80 to 8080. The second rules translates the source IP address of packet to the outbound interface of your linux machine.
– arshan
Feb 3 '15 at 10:11
Thanks, I see, this is what I thought as well. But just these two rules do not make any apparent change (I still see my real IP address), so something must be missing...
– Aayla Secura
Feb 4 '15 at 15:08
After reading blog.webernetz.net/2014/01/22/… you can see that the packets must be forwarded to proxy server (i guess its working well in our case). Are you sure that proxy server is working as it should be?
– arshan
Feb 4 '15 at 18:43
Thank you for your reply, the blog post clears some things up. I figured out why no change to the packets was happening: as explained here: askubuntu.com/questions/280948/… , I need to use the OUTPUT chain, instead of PREROUTING, since iptables is running on my machine, the same machine as the web browser establishing connection to 1.2.3.4. With the OUTPUT rule I am being redirected to the proxy server (which works fine), but I am getting it's / page (login) rather than the requested site (to be continued in the following post)
– Aayla Secura
Feb 5 '15 at 19:58
Thank you for your reply! I had indeed forgotten to enable ip forward, but even after doing so, it doesn't work: Adding the two rules you suggested does not go through the proxy (I tried using wtfismyip.com as the example.com and I can see my real public IP). Adding the OUTPUT rule I originally had, gets me back to where I was (I cannot connect at all) Replacing the PREROUTING with OUTPUT, simply loads the default page of the proxy server. I'm a bit confused as to which rule applies to which packet in my case... I want to stress that both target and proxy ip addresses here are external.
– Aayla Secura
Jan 31 '15 at 11:25
Thank you for your reply! I had indeed forgotten to enable ip forward, but even after doing so, it doesn't work: Adding the two rules you suggested does not go through the proxy (I tried using wtfismyip.com as the example.com and I can see my real public IP). Adding the OUTPUT rule I originally had, gets me back to where I was (I cannot connect at all) Replacing the PREROUTING with OUTPUT, simply loads the default page of the proxy server. I'm a bit confused as to which rule applies to which packet in my case... I want to stress that both target and proxy ip addresses here are external.
– Aayla Secura
Jan 31 '15 at 11:25
My first iptables rule translates the destination IP address of the packet from 1.2.3.4 to 5.6.7.8 and port from 80 to 8080. The second rules translates the source IP address of packet to the outbound interface of your linux machine.
– arshan
Feb 3 '15 at 10:11
My first iptables rule translates the destination IP address of the packet from 1.2.3.4 to 5.6.7.8 and port from 80 to 8080. The second rules translates the source IP address of packet to the outbound interface of your linux machine.
– arshan
Feb 3 '15 at 10:11
Thanks, I see, this is what I thought as well. But just these two rules do not make any apparent change (I still see my real IP address), so something must be missing...
– Aayla Secura
Feb 4 '15 at 15:08
Thanks, I see, this is what I thought as well. But just these two rules do not make any apparent change (I still see my real IP address), so something must be missing...
– Aayla Secura
Feb 4 '15 at 15:08
After reading blog.webernetz.net/2014/01/22/… you can see that the packets must be forwarded to proxy server (i guess its working well in our case). Are you sure that proxy server is working as it should be?
– arshan
Feb 4 '15 at 18:43
After reading blog.webernetz.net/2014/01/22/… you can see that the packets must be forwarded to proxy server (i guess its working well in our case). Are you sure that proxy server is working as it should be?
– arshan
Feb 4 '15 at 18:43
Thank you for your reply, the blog post clears some things up. I figured out why no change to the packets was happening: as explained here: askubuntu.com/questions/280948/… , I need to use the OUTPUT chain, instead of PREROUTING, since iptables is running on my machine, the same machine as the web browser establishing connection to 1.2.3.4. With the OUTPUT rule I am being redirected to the proxy server (which works fine), but I am getting it's / page (login) rather than the requested site (to be continued in the following post)
– Aayla Secura
Feb 5 '15 at 19:58
Thank you for your reply, the blog post clears some things up. I figured out why no change to the packets was happening: as explained here: askubuntu.com/questions/280948/… , I need to use the OUTPUT chain, instead of PREROUTING, since iptables is running on my machine, the same machine as the web browser establishing connection to 1.2.3.4. With the OUTPUT rule I am being redirected to the proxy server (which works fine), but I am getting it's / page (login) rather than the requested site (to be continued in the following post)
– Aayla Secura
Feb 5 '15 at 19:58
|
show 1 more comment
draft saved
draft discarded
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f181854%2fiptables-route-packets-to-example-com-via-public-proxy%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
