How To: Redirect HTTP Traffic to Proxy Using iptables

Invisible Traffic

Proxy Madness

Using Squid or any other proxy for transparent caching/filtering of HTTP traffic has many benefits, being for logging purposes or the aforementioned use-cases, keeping every client configured can be a nuance. Networking equipment from Cisco and Juniper has the ability to redirect all passing HTTP traffic, in IOS and JunOS respectively, to the desired proxy.

A more cost-effective solution is to use a Linux box inline the client network and the “Internet”, redirecting HTTP traffic to a separate transparent proxy box, before it reaches the Internet.

Another, more realistic (…), use case. Is to use the transparent caching proxy server inline the VPN Server, VPN Client and the Internet. Example below.

VPN Client --> VPN Server --> Caching Transparent Proxy --> Internet

The benefit being that the VPN Server can resend cached content to the VPN Client, reducing latency for the server and the connection as a whole.

The Solution

Using the example above, traffic redirection using iptables most efficiently takes place on the VPN Server.

Below is the required configuration:
~# iptables -t nat -A PREROUTING -i [TUNNELIFACE] -p tcp -m tcp --dport 80 -j DNAT --to-destination [PROXYIP]:[PROXYPORT]

Working example:
~# iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j DNAT --to-destination

As an end note. For best results and lowest possible latency, the VPN Server and Caching Transparent Proxy should be on the same network, preferably on the same network switch.

Happy Caching!