# How to redirect my laptop trafic to SQUID server ?

## d2_racing

Hi, at work I need to make my box conform to the politics and my laptop need to pass thrue the proxy SQUID server port 8080 to go to the internet.

So basically, my firewall is this on my box :

```

#!/bin/bash

# Constantes

IPT=/sbin/iptables

IPTS="/sbin/iptables-save"

IPTR="/sbin/iptables-restore"

# Interface qui est dans votre réseau

WAN_IFACE="eth0"

# Interface Loopback

LOOP_IFACE="lo"

LOOP_IP="127.0.0.1"

$IPT -P INPUT ACCEPT

$IPT -P FORWARD ACCEPT

$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

# Les tables sont effacées.

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F

$IPT -X

$IPT -t nat -X

$IPT -t mangle -X

# Le comportement par défaut est de bloquer le trafic.

$IPT -P INPUT   DROP

$IPT -P OUTPUT  DROP

$IPT -P FORWARD DROP

$IPT -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A INPUT -m state --state INVALID -j DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i ! $LOOP_IFACE -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

$IPT -A INPUT -i $LOOP_IFACE -j ACCEPT

$IPT -A INPUT -p ICMP -m limit --limit 1/s -j ACCEPT 

$IPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A OUTPUT -m state --state INVALID -j DROP

$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -p tcp  -m multiport --dports 21,22,25,80,110,443,873,1024 -j ACCEPT

$IPT -A OUTPUT -p udp  -m multiport --dports 53 -j ACCEPT

$IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

$IPT -A OUTPUT -o ! $LOOP_IFACE -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

$IPT -A OUTPUT -o $LOOP_IFACE  -j ACCEPT

```

So basically, since I don't want to rewrite my iptables rules, can I add only 2 nat rules to make everything  redirected to port 8080 for example ?

```

$IPT -t nat -A OUTPUT -p tcp -m multiport --dports 21,22,25,80,110,443,873,1024 -j REDIRECT --to-port 8080

$IPT -t nat -A OUTPUT -p udp -m multiport --dports 53 -j REDIRECT --to-port 8080

```

And with that, I will be able to run or not these 2 lines with my script :

```

# cd /root

# chmod +x iptables.sh

# ./iptables.sh

# iptables -L -v

# iptables-save

# /etc/init.d/iptables save

# rc-update add iptables default

# /etc/init.d/iptables start

```

Is that possible ? If not,  I need help  :Razz: 

----------

## Inodoro_Pereyra

Yes, you can do that with nat rules but you should use the PREROUTING chain instead:

```
$IPT -t nat -A PREROUTING -p tcp -m multiport --dports 21,80,443 -j REDIRECT --to-port 8080
```

Squid will only do caching on http or ftp requests, thats why the ports 21/80/443. All other protocols will go on standar ports most of the time.

Just a tought, wouldn't be more easy to configure your browser so it can use the proxy to reach outside?

Cheers!

----------

## d2_racing

No because, I need to be able to update my Gentoo box, so I really need rsync and other stuff.

The guy that configure the proxy server block everything in input except 8080 but once it's inside the server, then I can do ssh, or anything else.

By the way, why PREROUTING instead of OUTPUT ?

----------

## cach0rr0

so since we're doing a transparent proxy, this should work - http://tldp.org/HOWTO/TransparentProxy-6.html

I would normally say to make the guy give you a .pac file to throw into your browser, but of course that won't help you with rsync. (NB: for gentoo at least, don't forget emerge-webrsync )

----------

