External Transparent Proxy

system · January 15, 2015, 7:23am

Hey guys, I was curious to know, is it possible, or how would one achieve the following goal.

We have a Squid proxy server setup with filtering and reporting in our DMZ. At the moment clients are configured using the PAC file/WPAD method or even manually configured to direct traffic to it.

Is it possible to configure the following iptables rule using the confines of the standard VyOS command line configuration tools?

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

What we’re trying to achieve, is have all our clients on our user VLAN to have transparent internet access using the transparent proxy without having to roll out PAC/WPAD files etc or reconfigure workstations.[/code]

carl.byington · January 15, 2015, 5:19pm

See Vyatta-PolicyBasedRouting_6.5R1_v01.pdf; you might try something like:

set interfaces ethernet eth0 policy route 'source-route'
set interfaces ethernet eth1 policy route 'source-route'
set policy route source-route rule 10 destination port 80
set policy route source-route rule 10 protocol 'tcp'
set policy route source-route rule 10 set table '1'
set policy route source-route rule 10 source address '0.0.0.0/0'
set protocols static table 1 route 0.0.0.0/0 next-hop '192.168.1.1'

combined with a NAT rule to change the outgoing port from 80 to 3128. Or configure the 192.168.1.1 machine to accept connections on both 80 and 3128.

system · January 15, 2015, 9:52pm

Thanks Carl! I never thought of using poilcy based routing to achieve it. Will give it a test. Always good to have a second set of brains.