# [Solved] Minimum kernel config for iptables

## Astronome

I'm interested in setting up a transparent proxy for a single computer on my home network. The same machine will act as both the proxy and the client connecting to it. I figure I will use iptables with something like the following rule, taken from  here:

```
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner $SQUID --dport 80 -j REDIRECT --to-port 8080
```

I understand that I need to configure my kernel according to this article. But do I need to follow the instructions under the "client" or "router" section? Both?

Do I really need to enable everything in that article or can I set up a simple rule like the above with less?Last edited by Astronome on Thu Jun 23, 2016 5:48 pm; edited 1 time in total

----------

## NeddySeagoon

Astronome,

A few things.

As you are setting up a transparent proxy on a single machine, only for that single machine, you may only need the client bit of that wiki page.

NAT (Network Address Translation) is only used on routers, where one system shares an IP address among several systems, so that from upstream, the all appear to have the same IP address.

Your router does this.  Your ISP will assign you a single public IP address then it will provide NAT, to your home network,

You will only use IPtables to forward some ports to squid and get the responses.

Transparent proxies are less useful than they once were.  They cannot cache dynamically generated web content and the web is moving toward that more and more.

-- edit --

If you can live without the transparent bit, you don't need iptables at all.

Configure your browser to point to squid

----------

## szatox

 *Quote:*   

> If you can live without the transparent bit, you don't need iptables at all. 

 And if you can't live without transparent bit, you can't have proxy and the browser on the same IP as your browser.

Why? Because if you hijack your browser's connection and direct it to the proxy without moving away from the start point, the same rule will be applied to the proxy-initiated connection.

Once proxy attempts to reach to the actual server, its connection will be hijacked too, and then directed to your proxy. Ops... You're in a loop.

You need at least some abstraction with virtual interfaces, probably a container or a VM hosting your proxy (so it has differen't IP). Maybe your router could do that for you.

----------

## Astronome

 *NeddySeagoon wrote:*   

> 
> 
> NAT (Network Address Translation) is only used on routers, where one system shares an IP address among several systems, so that from upstream, the all appear to have the same IP address.
> 
> Your router does this.  Your ISP will assign you a single public IP address then it will provide NAT, to your home network,
> ...

 

I did need to include nat table support in my kernel config in order to add iptables rules there, but I didn't need to include all the options under the router config section.

 *szatox wrote:*   

> 
> 
> And if you can't live without transparent bit, you can't have proxy and the browser on the same IP as your browser. 
> 
> Why? Because if you hijack your browser's connection and direct it to the proxy without moving away from the start point, the same rule will be applied to the proxy-initiated connection. 
> ...

 

Actually, if you include `-m owner ! --uid-owner $BLAH` where $BLAH is the uid of the proxy user, you can avoid the loop and run both on the same machine.

----------

