Route HTTP and HTTPS traffic to proxy

Remember all workstations in our network have our router with IP address of 10.0.0.1 set as default gateway. It means when a browser makes HTTP (or HTTPS) connection to some web server in the Internet, traffic from that workstation to port 80 (or 443) will actually be sent to our router. We are going to reroute that traffic to a separate proxy box at 10.0.0.10.

Step 1. Create alternative routing table

Re-routing of the HTTP and HTTPS traffic will be done using alternative routing table. Open /etc/iproute2/rt_tables in your favorite text editor and add a new line 201 proxy at the end of it. Ensure the 201 number at the start is unique throughout the rt_tables file. 201 is actually a table number that will later be referenced by routing commands.

# reserved values
255     local
254     main
253     default
0       unspec

# local
#1      inr.ruhep
201     proxy

Step 2. Mark packets to ports 80 and 443

For the packets to be routed through the routing table that we have created on the previous step we need to mark them. Marking will be done using MANGLE table, in the PREROUTING chain. Add the following lines to /etc/network/iptables firewall definition file into the *mangle section (see complete listing at the bottom).

# no need to mark HTTP and HTTPS packets coming from proxy box, just accept them right away
-A PREROUTING -i ens33 -p tcp --dport 80  -s 10.0.0.10 -j ACCEPT
-A PREROUTING -i ens33 -p tcp --dport 443 -s 10.0.0.10 -j ACCEPT

# first mark HTTP and HTTPS packets coming from the rest of the LAN
-A PREROUTING -i ens33 -p tcp --dport 80  -j MARK --set-mark 5
-A PREROUTING -i ens33 -p tcp --dport 443 -j MARK --set-mark 5

# then accept those marked packets too
-A PREROUTING -m mark --mark 5 -j ACCEPT

Step 3. Route marked packets using alternative routing table

Marked packets that are to be re-routed to proxy box 10.0.0.10 will need to use alternative routing table 201 proxy. The easiest way to do that is to add two commands as additional post-up steps for the corresponding LAN network card in /etc/network/interfaces file (see complete listing at the bottom).

auto ens33
iface ens33 inet static
    address 10.0.0.1
    netmask 255.0.0.0
    post-up ip route add default via 10.0.0.10 dev ens33 table proxy
    post-up ip rule add fwmark 5 table proxy

Step 4. Enable packet forwarding from LAN into LAN

Final step is to allow our router to actually forward packets coming from the LAN network card back into LAN. This might seem strange at the beginning because router usually forwards packets from LAN into WAN. In our case, though, we will be forwarding the packets coming from workstations in our LAN to proxy box which is also in our LAN.

You would need to modify the /etc/network/iptables firewall definition file by adding the following line above the -A FORWARD -j DROP rule in the *filter table, FORWARD chain (see complete listing at the bottom).

# forward from LAN to proxy box on the LAN (TODO: how to allow forwarding only with FWMARK set???)
-A FORWARD -i ens33 -o ens33 -j ACCEPT

Router configuration files listings

For your reference, here are complete listings of all configuration files involved.

/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# the WAN network interface
auto ens32
iface ens32 inet dhcp

# the LAN network interface
auto ens33
iface ens33 inet static
    address 10.0.0.1
    netmask 255.0.0.0
    post-up ip route add default via 10.0.0.10 dev ens33 table proxy
    post-up ip rule add fwmark 5 table proxy

/etc/network/iptables

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

#
# ens32 - is WAN
# ens33 - is LAN
#

# enable NAT
-A POSTROUTING -o ens32 -j MASQUERADE

COMMIT

*mangle

# no need to mark HTTP and HTTPS packets coming from proxy box, just accept them right away
-A PREROUTING -i ens33 -p tcp --dport 80  -s 10.0.0.10 -j ACCEPT
-A PREROUTING -i ens33 -p tcp --dport 443 -s 10.0.0.10 -j ACCEPT

# first mark HTTP and HTTPS packets coming from the rest of the LAN
-A PREROUTING -i ens33 -p tcp --dport 80  -j MARK --set-mark 5
-A PREROUTING -i ens33 -p tcp --dport 443 -j MARK --set-mark 5

# then accept those marked packets
-A PREROUTING -m mark --mark 5 -j ACCEPT

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# allow loopback connections to itself, fully allow ICMP
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT

# allow all established connections
-A INPUT -m state --state ESTABLISHED -j ACCEPT

# enable traceroute rejections to get sent out
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable

# DNS accept from LAN
-A INPUT -i ens33 -p tcp --dport 53 -j ACCEPT
-A INPUT -i ens33 -p udp --dport 53 -j ACCEPT

# SSH accept from LAN and WAN
-A INPUT -i ens33 -p tcp --dport 22 -j ACCEPT
-A INPUT -i ens32 -p tcp --dport 22 -j ACCEPT

# DHCP client requests - accept from LAN
-A INPUT -i ens33 -p udp --dport 67:68 -j ACCEPT

# drop all other inbound traffic
-A INPUT -j DROP

# forward packets along established/related connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# forward from LAN to WAN
-A FORWARD -i ens33 -o ens32 -j ACCEPT

# forward from LAN to proxy box on the LAN (how to allow forwarding only with FWMARK set???)
-A FORWARD -i ens33 -o ens33 -j ACCEPT

# drop all other forwarded traffic
-A FORWARD -j DROP

COMMIT

Good, our router setup is now complete. All traffic coming from workstations to port 80 and 443 should be re-routed to the proxy box. Reboot your router now and continue setting up the proxy box on the next page.