Using iptables to send local traffic to proxy

Using iptables to send local traffic to proxy

[L.W. van Braam van Vloten]

Hello list,

I would like to use iptables to send all traffic that originates from  
the local host to a specific internet address through a proxy in my  
local network. The connection is encrypted between my host and the  
final destination. The connetcion is authenticated using a client  
certificate. The proxy is capable of proxying encrypted connections.

The traffic originates from an application running on the Linux box  
itself. The application cannot be configured to use the proxy or to  
use the https_proxy environment variable. I was told that I can use  
iptables to accomplish some kind of "transparent proxy": the  
application believes it talks directly to the internet address, but  
the firewall sends the traffic through the proxy. The application  
itself is entirely unaware of the proxy.

Can it be done? I would appreciate some help with the rule to accomplish this.

I can test the connection using curl:
$ curl -E ./client-certificate.pem https://webservice.example.com/incoming
This works on a direct internet connection (without proxy).
(The URL gets resolved to the internet IP address even if there is no  
direct internet connection.)

I tried the following ideas (plus some variations) that did not work:
iptables -t nat -A PREROUTING -d <internet-IP> -p tcp -j DNAT --to  
<proxy-IP:port>
My curl test gives a "Network is unreachable"

iptables -t nat -A OUTPUT -d <internet-IP> -p tcp --dport 443 -j DNAT  
--to-destination proxy-IP:port
My curl test gives a "Network is unreachable"
In combination with a
ip route add <internet-IP>/32 via <proxyIP> dev eth1
My curl test gives a "SSL connect error"

Thanks for any help!

Kind regards,
Lucas

Re: Using iptables to send local traffic to proxy

[spaceman]

[-- Attachment #1: Type: text/plain, Size: 639 bytes --]

Hi Lucas,

You need to make sure that traffic from the proxy isn't getting caught in your 
intercept rules and therefore talking to itself.

The first method listed here has nearly always works for me:
http://www.tldp.org/HOWTO/TransparentProxy-6.html
You will need to update accordingly with the correct sockets. You shouldn't 
need to touch routing and routing traffic to the proxy will not work because 
the TCP headers will be incorrect and the packets will probably be dropped by 
your firewall.

Might I suggest you direct your question at the squid mailling list if you 
haven't already done so.

Regards,
spaceman

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]