# transparent squid(dansguardian) proxy/iptables doesn't work

## Wbdsgnr

I don't get it... I followed this how-to: http://www.faqs.org/docs/Linux-mini/TransparentProxy.html I got squid running, I got dansguardian running. If I set the proxyaddress in the browser everything runs ok. But using this command and having ip_forward set "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080" Nothing happens.. squid is running, dansguardian is runnig, but the browser just browse without any proxy.. When I do iptables -t nat --list it shows up correctly...

----------

## adaptr

...and you are running Squid on port 8080, I assume?

Squid's default port is 3128...

Perhaps you could include the output of

```
iptables -t nat -L
```

?

----------

## Wbdsgnr

Well, squid is running on port 3128 but dansguardian (a filter using squid) uses port 8080, but even when I set iptables to 3128 it still doesn't work...

bash-2.05b# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:www redir ports 8080

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

----------

## adaptr

Then I would suggest adding a LOG target just before that:

```
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j LOG --log-prefix "PROXY:"

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
```

See whether that works at all...

Oh and do an lsmod - do you have ipt_redirect loaded at all ?

----------

## Wbdsgnr

Well I had it compiled in the kernel, then I compiled it as a module. loading ipt_REDIRECT but no luck... Using that LOG thing, nothing appears in de kernel log (using dmesg). lsmod output:

Module                  Size  Used by

ipt_REDIRECT            1920  1

floppy                 54868  0

agpgart                26664  0

uhci_hcd               29840  0

ohci_hcd               16772  0

ehci_hcd               24068  0

ntfs                   86348  0

w83781d                32384  0

i2c_sensor              2560  1 w83781d

i2c_isa                 1920  0

i2c_core               18948  3 w83781d,i2c_sensor,i2c_isa

hid                    23424  0

usbcore                91356  6 uhci_hcd,ohci_hcd,ehci_hcd,hid

nvidia               2071432  12

8139too                18432  0

mii                     4224  1 8139too

i've got the most things just compiled in the kernel so not everything shows up here I guess..

iptables -t nat -L output with log:

target     prot opt source               destination

LOG        tcp  --  anywhere             anywhere            tcp dpt:www LOG level warning prefix `PROXY:'

REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:www redir ports 8080

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

----------

## Crg

 *Wbdsgnr wrote:*   

> I don't get it... I followed this how-to: http://www.faqs.org/docs/Linux-mini/TransparentProxy.html I got squid running, I got dansguardian running. If I set the proxyaddress in the browser everything runs ok. But using this command and having ip_forward set "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080" Nothing happens.. squid is running, dansguardian is runnig, but the browser just browse without any proxy.. When I do iptables -t nat --list it shows up correctly...

 

Can you actually connect to 8080 directly with a browser?

----------

## Wbdsgnr

Yup.. but iptables just doesn't redirect anything, nothing is led to squid...

----------

## mikegpitt

I know I'm dragging up an old thread, but did you ever find a solution to this problem?  I am experiencing the same thing, (i.e. if I set my browser to go to port 8080 exerything works great, but the iptables rule to forward port 80 to port 8080 causes an error).

----------

## Korr.ban

I have the same problem, here is my iptable script:

```
   $MODPROBE ip_tables

   $MODPROBE iptable_filter

   $MODPROBE ip_conntrack

   $MODPROBE iptable_nat

   $MODPROBE ipt_MASQUERADE

   $IPTABLES -F

   $IPTABLES -X

   $IPTABLES -Z

   $IPTABLES -t nat -F

   $IPTABLES -t nat -X

   $IPTABLES -t nat -Z

   $IPTABLES -P INPUT ACCEPT

   $IPTABLES -P FORWARD DROP

   $IPTABLES -P OUTPUT ACCEPT

   $IPTABLES -t nat -P PREROUTING ACCEPT

   $IPTABLES -t nat -P POSTROUTING ACCEPT

   $IPTABLES -t nat -P OUTPUT ACCEPT

   echo 1 > /proc/sys/net/ipv4/ip_forward

   # $IPTABLES -A POSTROUTING -t nat -o ppp0 -j MASQUERADE

   # $IPTABLES -A FORWARD -i ppp0 -o $EXT_INTERFACE -j ACCEPT

   # $IPTABLES -A FORWARD -i $EXT_INTERFACE -o ppp0 -j ACCEPT

   $IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE

# SQUID redirect start

   $IPTABLES -t nat -A PREROUTING -i $EXT_INTERFACE -p tcp --dport 80 \

      -j REDIRECT --to-port 8080

# SQUID redirect end

   $IPTABLES -A FORWARD -i $EXT_INTERFACE -o $INT_INTERFACE -j ACCEPT

   $IPTABLES -A FORWARD -i $INT_INTERFACE -o $EXT_INTERFACE -j ACCEPT
```

With this, my browser doesn't get redirected through squid cache, just straight through to the internet without touching squid (access.log is empty).

The closest I got to browser going through squid is when I got this error in the browser:

```
The requested URL could not be retrieved

While trying to retrieve the URL: http://google.ca/

The following error was encountered:

    Unable to determine IP address from host name for google.ca

The dnsserver returned:

    Name Error: The domain name does not exist. 

This means that:

 The cache was not able to resolve the hostname presented in the URL. 

 Check if the address is correct. 

Your cache administrator is webmaster.

Generated Sun, 05 Nov 2006 23:36:06 GMT by my.hostname (squid/2.5.STABLE9)
```

----------

