如何在linux中使用iptables将http和https流量转发到透明代理
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10727443/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to use iptables in linux to forward http and https traffic to a transparent proxy
提问by ajt
I have a Ubuntu linux system acting as a gateway system with two interfaces on it. One interface is for the local network and one interface is for the internet. I am able to route traffic through it with no problem at all. I use two iptablesrules to forward outbound traffic from the internal interface:
我有一个 Ubuntu linux 系统充当网关系统,上面有两个接口。一个接口用于本地网络,一个接口用于互联网。我可以毫无问题地通过它路由流量。我使用两个iptables规则从内部接口转发出站流量:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
I now need to create an iptablesrule that filters out and redirects all tcp port 80 and 443 traffic leaving my network through the eth1interface and send it to a proxy server that resides on a loopback interface on tcp port 9090.
我现在需要创建一个iptables规则来过滤和重定向所有通过eth1接口离开我的网络的 tcp 端口 80 和 443 流量,并将其发送到驻留在 tcp 端口 9090 上的环回接口上的代理服务器。
I have been searching all over SO but I have not been able to find an example that works. Is there an efficient way to do this?
我一直在搜索,但我一直无法找到一个有效的例子。有没有一种有效的方法来做到这一点?
采纳答案by Diego Woitasen
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 9090
HTTPS cannot be used with a transparent proxy. There are some hacks, but it doesn't make any sense and is useless.
HTTPS 不能与透明代理一起使用。有一些黑客,但它没有任何意义,是无用的。
回答by Fabrizio
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
Where:
在哪里:
- squid-box: your squid server
- local-network: your network (in my case is 192.168.0.0/24)
- iptables-box: where your iptables software reside (usually the gateway, in my case 192.168.1.1)
- squid-box: 你的鱿鱼服务器
- local-network:您的网络(在我的情况下是 192.168.0.0/24)
- iptables-box:您的 iptables 软件所在的位置(通常是网关,在我的情况下为 192.168.1.1)
The first one sends the packets to squid-box from iptables-box. The second makes sure that the reply gets sent back through iptables-box, instead of directly to the client (this is very important!). The last one makes sure the iptables-box will forward the appropriate packets to squid-box. It may not be needed. YMMV. Note that we specified '-i eth0' and then '-o eth0', which stands for input interface eth0 and output interface eth0. If your packets are entering and leaving on different interfaces, you will need to adjust the commands accordingly.
第一个将数据包从 iptables-box 发送到 squid-box。第二个确保通过 iptables-box 将回复发送回,而不是直接发送到客户端(这非常重要!)。最后一个确保 iptables-box 将适当的数据包转发到 squid-box。它可能不需要。天啊。请注意,我们指定了“-i eth0”,然后是“-o eth0”,它代表输入接口 eth0 和输出接口 eth0。如果您的数据包在不同的接口上进出,则需要相应地调整命令。
Add these commands to your appropriate startup scripts under /etc/rc.d/
将这些命令添加到 /etc/rc.d/ 下的适当启动脚本中
