Forums

t1ck3ts
t1ck3ts
Offline
Resolved
0 votes
Hoping someone could help me here.

I installed Privoxy (while still having squid installed) but used the following iptable rules:
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner privoxy -j REDIRECT --to-port 8118

they seem to work fine and i decided to remove squid and keep privoxy as the normal.

After removing squid, the redirect does not work and no HTTP traffic is being directed to the privoxy.

Could someone give me an update on better iptable rules I'm missing or have not used? or even what the squid rules look like so i can change them to my privoxy port, etc.

edit:

used these rules instead:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.4.1:8118
iptables -t nat -A POSTROUTING -j MASQUERADE

Although, i would like to know if there is a better way in doing this. As i had to open up a listening port for 192.168.4.1 (was just listening on loopback as per privoxy config)
Wednesday, September 07 2016, 10:46 PM
Share this post:
Responses (6)
  • Accepted Answer

    t1ck3ts
    t1ck3ts
    Offline
    Thursday, September 08 2016, 05:06 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:
    So presumably you have another firewall rule intercepting tcp:443 traffic?

    Yeah
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 08 2016, 04:54 PM - #Permalink
    Resolved
    0 votes
    t1ck3ts wrote:

    Nick Howitt wrote:
    [edit]
    BTW, is it worth the effort as more and more sites switch to https, which will bypass the Privoxy as it does with the transparent proxy
    [/edit]


    I use ProxHTTPSProxyMII with Privoxy
    So presumably you have another firewall rule intercepting tcp:443 traffic?
    The reply is currently minimized Show
  • Accepted Answer

    t1ck3ts
    t1ck3ts
    Offline
    Thursday, September 08 2016, 11:13 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:
    [edit]
    BTW, is it worth the effort as more and more sites switch to https, which will bypass the Privoxy as it does with the transparent proxy
    [/edit]


    I use ProxHTTPSProxyMII with Privoxy
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 08 2016, 09:46 AM - #Permalink
    Resolved
    0 votes
    I'm afraid I don't know Privoxy at all, so I don't know why it does not work. REDIRECT should work in a similar way to DNAT but automatically changes the destination address to 127.0.0.1 (rather than your LAN interface) and it is the tool ClearOS uses for the transparent proxy. You can either troubleshoot or revert to your working config, but I can't really make any more comments.

    [edit]
    BTW, is it worth the effort as more and more sites switch to https, which will bypass the Privoxy as it does with the transparent proxy
    [/edit]
    The reply is currently minimized Show
  • Accepted Answer

    t1ck3ts
    t1ck3ts
    Offline
    Thursday, September 08 2016, 09:37 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    The PREROUTING chain is the normal way and what squid uses as a transparent proxy as well, but use "-j REDIRECT --to-ports 8118". There should be no need to add the POSTROUTING rule. This should remove the requirement to have Privoxy listen on your LAN interface.


    Removed
    iptables -t nat -A POSTROUTING -j MASQUERADE
    and changed
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.4.1:8118
    to
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8118
    and after that removed the listening port in config back to 127.0.0.1:8118, but that stops it from working :/
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 08 2016, 07:05 AM - #Permalink
    Resolved
    0 votes
    The PREROUTING chain is the normal way and what squid uses as a transparent proxy as well, but use "-j REDIRECT --to-ports 8118". There should be no need to add the POSTROUTING rule. This should remove the requirement to have Privoxy listen on your LAN interface.
    The reply is currently minimized Show
Your Reply