getting your proxy to work with iptables DNAT

here are some things you should consider when writing your DNAT rules for having some traffic forwarded to a transparent proxy that you wrote it, no matter what you do with the packets :)

  1. if you are doing this for your workstation only or if you also want to use the proxy from the machine that is running it - then you have to install the DNAT rule in nat's OUTPUT chain. This is because packets originating from the same machine will not get to be processed in the PREROUTING chain.
  2. if so, you also need to make sure the packets generated by your proxy don't get to be processed again with the DNAT rules you installed. Otherwise you will create some cool deadloops ;) You can do this by creating a new user to run your proxy daemon and use owner rules in your OUTPUT chain. 
  3. If when querying for SO_ORIGINAL_DST from your proxy code you are getting the same sockaddr_in as the client's then your DNAT rules are fuckedup. check them again. i did.

those being said, these are some safe iptables DNAT rules that one can use for both router and workstation case (i'll treat a very simple case of catching any traffic going to http port) :

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $PROXY_IP:$PROXY_PORT
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner $PROXY_UID -j DNAT --to-destination $PROXY_IP:$PROXY_PORT

No comments:

Post a Comment