How do I use external transparent proxy for a single host?

[codezion]

Hello,

I have searched for this quite a bit but my lack of knowledge of IPTables makes me doubt whether I have found a solution or not. I have very light experience with IPTables as well. So I thought I'd ask here.

Basically, what I am trying to do is use an external transparent proxy for only one of the hosts on my internal network. For example, for an internal host of 192.168.1.8, I want to send all internet requests for ANY port to a proxy server out in the internet at 238.34.232.7 / port: 8080. All other hosts would use the internet without using any proxy server.

Is IPTables the way to set this up or is there an easier option? Could someone please help me figure out how to do this?

Thanks a lot!

[Kloschüssel]

hi and welcome,

iptables works on the iso/osi layer of ip's. a proxy is something on the application layer. don't confuse these things.

and the answer is true, it is possible. transparent redirects are nowadays quite always realized through the NAT feature.

but to say the truth, i never tried to setup such a configuration. if all traffic goes to another server and this server works just as a relay, it is much easier to just configure the dns resolution to point to the other IP. but if you want to set up this, with nat it should work. can't actually see a reason why not. how to accomplish it you'll have to read yourself. there are plenty explanations and howtos around (even in this forum posted by me). hit the search button and there you go.

[codezion]

Thanks so much for your reply.

You suggested that configuring DNS resolution to point to the proxy IP would be easier. But I am not sure how that would work when the request from one source IP could be for anything out on the net.

Anyways, I researched iptables and came up with something like below. I thought it would be a matter of a simple source and destination IP and forwarding all packets for all ports. But this doesn't work for some reason. Any idea why?

Code:

#!/bin/sh
 MEDIA_IP=192.168.1.129
 PROXY_IP=85.224.23.2
 PROXY_PORT=80
 LAN_NET=192.168.1.0/24

 iptables -t nat -A PREROUTING -i tun0 -s $MEDIA_IP -d $LAN_NET  -j ACCEPT
 iptables -I FORWARD -i tun0 -o br0 -s $MEDIA_IP -d $PROXY_IP --dport $PROXY_PORT -j ACCEPT

BTW, I don't think this matters but my iptables box is my dd-wrt router. Any help would be greatly appreciated.

[Kloschüssel]

I would say it's not the FORWARD , but the INPUT chain.

make also sure that you have the correct device and as last suggestion, beware of the --dport switch where the source port differs from the destination port. i couldn't get that one working properly last time and spent several hours on it before i gave up. oh, and the -A PREROUTING may be dangerous, because other things in that chain that come before may reject the packet or do other malicious things.

PS: sorry for the dns suggestion, i misunderstood your first message.