[lug] Transparent proxy on localhost
Zan Lynx
zlynx at acm.org
Wed Aug 22 09:38:31 MDT 2007
On Tue, 2007-08-21 at 22:48 -0600, Michael Hirsch wrote:
> On 8/21/07, Zan Lynx <zlynx at acm.org> wrote:
> > On Mon, 2007-08-20 at 22:31 -0600, Michael Hirsch wrote:
> > > I'm trying to set up a transparent proxy on localhost. (I'm trying to
> > > filter my kids' web browsing.) I have the proxy all setup and
> > > working, but I can't figure out how to get it to happen transparently.
> > > Here's what I've tried:
> > [snip]
> > > iptables -t nat -i lo -A PREROUTING -p tcp --dport 80 -j LOG
> > > iptables -t nat -i lo -A PREROUTING -p tcp --dport 80 -j REDIRECT
> > > --to-ports 8080
> > >
> > > but there's no change in behavior. The web connection is unfiltered.
> > >
> > > What am I doing wrong?
> >
> > Try the nat OUTPUT chain instead. Connections from the local machine
> > are handled specially in both the nat and filter tables.
>
> The OUTPUT chain does have an effect. I can see the proxy being
> contacted, but it never returns the web page.
>
> I don't see how you can avoid an infinite regression:
> 1. The browser tries to reach port 80 on google.com
> 2. iptables redirects to the filter.
> 3. the filter tries to reach port 80,
> 4. goto 2.
>
> Is there a trick to make iptables not redirect when coming from the
> filter, but to do so for the client? I don't see how this scheme
> could ever work.
I believe you can filter by user ID on local packets. You can use that
to bypass the rule for port 80 packets from root, or whatever UID the
proxy runs as.
--
Zan Lynx <zlynx at acm.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20070822/a50f7020/attachment.pgp>
More information about the LUG
mailing list