If you wish to redirect ports for a transparent proxy with NSProxy or squid, or need to use port redirection for other purposes, it is recommended that you use the nsportmap service.
Usage: /usr/local/netsweeper/bin/nsportmapctl {start|stop|restart|status}
The nsportmap service when started simply inserts iptables rules found in /usr/local/netsweeper/etc/nsportmap.conf.
Confirm Proxy Listen Directives
For a Transparent Proxy, your NSProxy configuration file should have the following configuration directives
listen http 0.0.0.0 31281
listen https 0.0.0.0 31282
You can confirm that the proxy is listening on these ports by typing
netstat -nlp | grep 3128
tcp 0 0 0.0.0.0:31280 0.0.0.0:* LISTEN 3273/./nsproxy
tcp 0 0 0.0.0.0:31281 0.0.0.0:* LISTEN 3273/./nsproxy
tcp 0 0 0.0.0.0:31282 0.0.0.0:* LISTEN 3273/./nsproxy
We will now proceed to forward ports 80 and 443 to these ports respectively.
Redirect Ports 80 and 443 to the Proxy on port 31281 and 31282
SSH into the policy server and elevate permissions to root
1. Change directory
cd /usr/local/netsweeper/etc
2. Edit the nsportmap.conf file to add any redirects
vim nsportmap.conf
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 31281
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 31282
COMMIT
3. Start the nsportmap service
service nsportmapctl start
4. Set the nsportmap service to start on boot of server
chkconfig nsportmapctl on
5. Confirm the port redirection rules are in effect
iptables -tnat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 31281
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 31282
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Stopping Port Forwarding
If for some reason you would like to stop port forwarding simply type
service nsportmapctl stop
Under rare circumstances, the rules do not always get fully flushed. If for any reason you need to manually and forcefully remove the port redirection rules you can use iptables as well
iptables -tnat -F
Please note, execute the above cautiously. If you have other iptables rules for any reason, this will flush ALL rules in the NAT table.