How can we help?

How do I implement a transparent proxy

Follow
 
Redirecting Ports with nsportmapctl for Transparent Proxies

If you wish to redirect ports for a transparent proxy with NSProxy or squid, or need to use port redirection for other purposes, it is recommended that you use the nsportmap service. 

Usage: /usr/local/netsweeper/bin/nsportmapctl {start|stop|restart|status}

The nsportmap service when started simply inserts iptables rules found in /usr/local/netsweeper/etc/nsportmap.conf.

Confirm Proxy Listen Directives

For a Transparent Proxy, your NSProxy configuration file should have the following configuration directives

listen http 0.0.0.0 31281
listen https 0.0.0.0 31282

You can confirm that the proxy is listening on these ports by typing

netstat -nlp | grep 3128

tcp 0 0 0.0.0.0:31280 0.0.0.0:* LISTEN 3273/./nsproxy
tcp 0 0 0.0.0.0:31281 0.0.0.0:* LISTEN 3273/./nsproxy
tcp 0 0 0.0.0.0:31282 0.0.0.0:* LISTEN 3273/./nsproxy

We will now proceed to forward ports 80 and 443 to these ports respectively. 

 

Redirect Ports 80 and 443 to the Proxy on port 31281 and 31282

SSH into the policy server and elevate permissions to root

1. Change directory

cd /usr/local/netsweeper/etc

2. Edit the nsportmap.conf file to add any redirects

vim nsportmap.conf
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 31281
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 31282
COMMIT

3. Start the nsportmap service

service nsportmapctl start

4. Set the nsportmap service to start on boot of server

chkconfig nsportmapctl on

5. Confirm the port redirection rules are in effect

iptables -tnat -nL

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 31281
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 31282

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Stopping Port Forwarding

If for some reason you would like to stop port forwarding simply type

service nsportmapctl stop

Under rare circumstances, the rules do not always get fully flushed. If for any reason you need to manually and forcefully remove the port redirection rules you can use iptables as well

iptables -tnat -F

Please note, execute the above cautiously. If you have other iptables rules for any reason, this will flush ALL rules in the NAT table.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request