Greetings, forum.
I'm having a difficult time setting up iptables rules for a transparent proxy (I realize that OpenVPN can push an explicit proxy configuration out to clients, but this isn't appropriate for my needs). OpenVPN and the transparent proxy are running on the same server---the proxy is bound to 10.8.0.1:8080 on tun0. Here are the iptables rules:
###############
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-I PREROUTING -i tun0 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.1:8080
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i tun0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Web Traffic; accept all incoming OpenVPN requests on 443, but allow
# only connected VPN clients to use our Web proxy on 8080
#
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -i tun0 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
COMMIT
###############
A liberal use of the LOG target has revealed that, when an OpenVPN client attempts to access a webpage, the prerouting NAT rule works as expected. Once a destination address is replaced by 10.8.0.1:8080, the filter INPUT rule permitting access to the proxy is then fired. However, this is where things stop working for some reason: the proxy doesn't seem to see the NAT'ed packet from the client and a webpage is ever returned to the client.
Does anyone have any thoughts about where I've gone wrong with these iptables rules?
Problem Configuring iptables for Transparent Web Proxy
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
Richard.Croasher
- OpenVpn Newbie
- Posts: 1
- Joined: Sat Jan 18, 2014 2:09 am