[lug] Transparent proxy on localhost
Michael Hirsch
mdhirsch at gmail.com
Tue Aug 21 22:48:58 MDT 2007
On 8/21/07, Zan Lynx <zlynx at acm.org> wrote:
> On Mon, 2007-08-20 at 22:31 -0600, Michael Hirsch wrote:
> > I'm trying to set up a transparent proxy on localhost. (I'm trying to
> > filter my kids' web browsing.) I have the proxy all setup and
> > working, but I can't figure out how to get it to happen transparently.
> > Here's what I've tried:
> [snip]
> > iptables -t nat -i lo -A PREROUTING -p tcp --dport 80 -j LOG
> > iptables -t nat -i lo -A PREROUTING -p tcp --dport 80 -j REDIRECT
> > --to-ports 8080
> >
> > but there's no change in behavior. The web connection is unfiltered.
> >
> > What am I doing wrong?
>
> Try the nat OUTPUT chain instead. Connections from the local machine
> are handled specially in both the nat and filter tables.
The OUTPUT chain does have an effect. I can see the proxy being
contacted, but it never returns the web page.
I don't see how you can avoid an infinite regression:
1. The browser tries to reach port 80 on google.com
2. iptables redirects to the filter.
3. the filter tries to reach port 80,
4. goto 2.
Is there a trick to make iptables not redirect when coming from the
filter, but to do so for the client? I don't see how this scheme
could ever work.
Michael
More information about the LUG
mailing list