Proxy and iptables

I'am having problems using squid and iptables.

I use squid proxy on a debian linux server.
This server is the gateway for my intranet.
I also use iptables to set up port forwarding like this:

iptables -t nat -A PREROUTING -p tcp -d $local_ip --dport 5901 -j DNAT --to
$mywebserver_ip:4662

iptables -t nat -A POSTROUTING -p tcp -d $mywebserver_ip:80 -s 0/0 --dport
5901 -j SNAT --to $local_ip

From other linux workstation i use a web browser.
if i want go to http://myproxyserver:5901 it only works if i don't use the
proxy configuration of my browser . Otherwise if i configure my web browser
to use a proxy the proxy server returns a Connection Failed error.

Anyone knows how can i resolve this.


thanks
FLL.

Francesc Llop wrote:
> I'am having problems using squid and iptables.
>
> I use squid proxy on a debian linux server.
> This server is the gateway for my intranet.
> I also use iptables to set up port forwarding like this:
>
> iptables -t nat -A PREROUTING -p tcp -d $local_ip --dport 5901 -j DNAT --to
> $mywebserver_ip:4662
>
> iptables -t nat -A POSTROUTING -p tcp -d $mywebserver_ip:80 -s 0/0 --dport
> 5901 -j SNAT --to $local_ip
>
> From other linux workstation i use a web browser.
> if i want go to http://myproxyserver:5901 it only works if i don't use the
> proxy configuration of my browser . Otherwise if i configure my web browser
> to use a proxy the proxy server returns a Connection Failed error.
>
> Anyone knows how can i resolve this.
>
>
> thanks
> FLL.

Hello,

PREROUTING chain is NOT used for locally generated packets (ie, for
squid ones). You need to add similar rule for OUTPUT chain, something
like this:

iptables -A OUTPUT -t nat --dst $local_ip -p tcp --dport 80 -j DNAT --to
$mywebserver_ip:4662

If iptables gives you "Invalid argument on such rule", you need either
newer version of iptables or some option to be compiled in kernel
(for example 2.6 serie kernels have that "NAT of local connections"
option).

Hope this helps,
Erik