Iptables Transparent Proxy and Browser on localhost

Hello,

I have written a java http proxy, which accepts http connections on
the localhost at port 8080 and forwards them to the authority in the
internet.

I would like the proxy to be transparent so that my browser's requests
to port 80 are redirected to port 8080 on the localhost.

The proxy then opens a new tcp connection and forwards the result to
the connection originally established by the browser.

The important thing to notice is that I only have one linux pc, and so
ALL requests are originating from localhost, and that all connection
request are having the destination port 80.

I'm looking for a set of iptable rules, that redirect the requests
from the browser to the proxy BUT that do not redirect any requests of
the proxy to itself.

So I really need some rules, which can differentiate between HTTP
connections originating from the browser and the proxy.

Those connections originating from the browser should be forwarded to
the proxy. Those of the proxy should leave my box and go to the
internet.

I have googled a lot and read the howtos and the manpages, but I can't
figure out how to distinguish connections of the browser from the
proxy's connection requests, since they are all leaving the same
interface.

Any ideas?

Fritz Bayer wrote:

> Hello,
>
> I have written a java http proxy, which accepts http connections on
> the localhost at port 8080 and forwards them to the authority in the
> internet.
>
> I would like the proxy to be transparent so that my browser's requests
> to port 80 are redirected to port 8080 on the localhost.
>
> The proxy then opens a new tcp connection and forwards the result to
> the connection originally established by the browser.
>
> The important thing to notice is that I only have one linux pc, and so
> ALL requests are originating from localhost, and that all connection
> request are having the destination port 80.
>
> I'm looking for a set of iptable rules, that redirect the requests
> from the browser to the proxy BUT that do not redirect any requests of
> the proxy to itself.
>
> So I really need some rules, which can differentiate between HTTP
> connections originating from the browser and the proxy.
>
> Those connections originating from the browser should be forwarded to
> the proxy. Those of the proxy should leave my box and go to the
> internet.
>
> I have googled a lot and read the howtos and the manpages, but I can't
> figure out how to distinguish connections of the browser from the
> proxy's connection requests, since they are all leaving the same
> interface.
>
> Any ideas?
Hello,

why don't you just configure your browser to user a proxy, if you are the
only client anyways? But, you can also work with iptables, which is more
effort of course. The rules should then look like this:
1. everything from your_proxy_port to dport 80 accept
2. everything from high_ports to dport 80 redirect to 8080

Alex

Alex Harsch <(E-Mail Removed)> wrote in message news:<carndv$2biv$(E-Mail Removed)>...
> Fritz Bayer wrote:
>
> > Hello,
> >
> > I have written a java http proxy, which accepts http connections on
> > the localhost at port 8080 and forwards them to the authority in the
> > internet.
> >
> > I would like the proxy to be transparent so that my browser's requests
> > to port 80 are redirected to port 8080 on the localhost.
> >
> > The proxy then opens a new tcp connection and forwards the result to
> > the connection originally established by the browser.
> >
> > The important thing to notice is that I only have one linux pc, and so
> > ALL requests are originating from localhost, and that all connection
> > request are having the destination port 80.
> >
> > I'm looking for a set of iptable rules, that redirect the requests
> > from the browser to the proxy BUT that do not redirect any requests of
> > the proxy to itself.
> >
> > So I really need some rules, which can differentiate between HTTP
> > connections originating from the browser and the proxy.
> >
> > Those connections originating from the browser should be forwarded to
> > the proxy. Those of the proxy should leave my box and go to the
> > internet.
> >
> > I have googled a lot and read the howtos and the manpages, but I can't
> > figure out how to distinguish connections of the browser from the
> > proxy's connection requests, since they are all leaving the same
> > interface.
> >
> > Any ideas?
> Hello,
>
> why don't you just configure your browser to user a proxy, if you are the
> only client anyways? But, you can also work with iptables, which is more
> effort of course. The rules should then look like this:
> 1. everything from your_proxy_port to dport 80 accept
> 2. everything from high_ports to dport 80 redirect to 8080
>
> Alex

That's because a transparent proxy has to behave differently to a non
transparent proxy (see the HTTP 1.1 Rfc about that).

Could you please write the iptable rules down, so that I can try them
on the machine? Thanks!

Fritz Bayer <fritz-(E-Mail Removed)> wrote:

> Could you please write the iptable rules down, so that I can try them
> on the machine? Thanks!

iptables -t nat -o $extif -A OUTPUT -p tcp --syn --dport 80 \
-j REDIRECT --to-ports 8080

Where extif is your internet facing interface. Drop the --syn if you
are not using connection tracking. If you are using other firewall
rules, make sure these can get through the packets can get through the
filter table.

See the `Transparent Proxy HOWTO' for more information.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!