How to create Iptables rules for squid to only handle web traffic request

sanket jaiswal

2/20/24, 7:43 PM

I'm using Squid Proxy for (DNS Filtering), I have configured squid proxy behind my GCP Cloud NAT in transparent mode to intercept HTTP and HTTPS Web Traffic, I have added only below rules to redirect HTTP and HTTPS traffic to squid.

iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp --dport 443 -j REDIRECT --to-port 3130

But as I have learned so far Squid is a web proxy and only handling HTTP, HTTPS & FTP Requests, Squid does't understand SMTP,UDP and any other protocol request, but above iptables rules only working for HTTP and HTTPS, my rest of the SMTP and UDP request are getting block. As I understand we can't tell squid to handle SMTP and UDP Request therefore I only want to handle HTTP and HTTPS traffic on squid, And I also want rest of my ports directly redirect to my GCP Cloud NAT.

Can anybody help me which iptables rule I should write for only redirect port 80, 443 request to Squid, And rest of the port request I want to bypass or redirect directly to my GCP Cloud NAT

Traffic Flow

Private VM -> Squid Proxy -> GCP Cloud NAT

182

1 + 0

iptables

squid

transparent-proxy

gcp

Score:0

Server

Kamil Anwar

2/20/24, 8:18 PM

To redirect only port 80 and 443 requests to Squid and bypass all other requests, you can modify the existing iptables rules as follows:

Create an ACL in Squid to only allow HTTP and HTTPS requests. This can be done by adding the following lines to your Squid configuration file:

acl Safe_ports port 80 443 http_access allow Safe_ports
Modify the iptables rules to only redirect HTTP and HTTPS requests to Squid:

iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp --dport 80 -j REDIRECT --to-port 3129 iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp --dport 443 -j REDIRECT --to-port 3130
Add a new iptables rule to bypass all other requests and redirect them directly to your GCP Cloud NAT. The rule should look like this:

iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp -m multiport ! --dports 80,443 -j DNAT --to-destination [GCP Cloud NAT IP address]

This rule will match all TCP traffic that is not on port 80 or 443, and redirect it directly to your GCP Cloud NAT.

Make sure to adjust the [GCP Cloud NAT IP address] to the correct IP address of your Cloud NAT instance.

With these rules, only HTTP and HTTPS traffic will be redirected to Squid for filtering, while all other traffic will be bypassed and redirected directly to your GCP Cloud NAT.

+ 2

sanket jaiswal

2/21/24, 9:42 AM

Still my port 25 and other request are getting blocked, I've added above rule it getting packets but in in middle somewhere getting drop, is there any way we can directly forward traffic to next hop without DNAT.

sanket jaiswal

2/24/24, 6:44 AM

Working using this solution :- https://stackoverflow.com/questions/2601400/squidiptables-how-do-i-allow-https-to-pass-through-and-bypassing-squid/2607361#2607361

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to create Iptables rules for squid to only handle web traffic request

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.