1

I have a Apache web server set which listens on port 4000 and I want to use this (local) server as a kind of proxy.

The idea is to redirect all the local outcomming HTTP traffic (port 80) to my server at 127.0.0.1:4000. Of course, the server must be able to send request on port 80.

I tried to update iptables like this :

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:4000

Obviously it does not work because the traffic from my server is also redirected to itself.

The question is: how can I only authorize HTTP request from my server?

Example:

  1. A request is sent to www.google.com
  2. The request is redirected to my server (127.0.0.1:4000)
  3. The server receives the request, do some stuff, then sends a request to www.google.com

I managed to do the first part (2.) but because of that my server cannot access www.google.com as it is also redirected to itself.

Improve this question
7
  • Not sure I understand the question. Are you saying you only want local clients to connect to the webserver? Why not just configure apache to listen on that port and do Host-based access control in httpd.conf ? Commented Dec 26, 2014 at 17:57
  • @Bratchley What I want is to redirect all HTTP requests to my server and then let my server forward the request to an outsude website (i.e. Google.com). I am aware that it is pointless as it is done locally but it is just for demo purpose. Commented Dec 26, 2014 at 18:00
  • @Bratchley As my post was not very clear I added an example. Commented Dec 26, 2014 at 18:14
  • Haven't done this before but have you tried adding an iptables rule earlier than your DNAT rule so that it exits without reaching the DNAT if the source port is the one associated with the proxy? Commented Dec 26, 2014 at 18:16
  • 1
    If you can't match on the source port (dynamically allocated) you might try matching based on --uid-owner supposing that's unique to the application doing the proxy. Commented Dec 26, 2014 at 18:18

2 Answers 2

Reset to default
1

It's not a good idea to use netfilter for that. You need a reverse proxy[1], like that nginx or apache can do.

If you wish to use iptable, you could filter from the incomming interface like :

iptables -t nat -A OUTPUT -i eth0 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:4000

[1] http://nginx.com/resources/admin-guide/reverse-proxy/

Improve this answer
1
  • I totally agree that it will better with a reverse proxy but as it is just for basic demo I want to make it as easy as possible. Commented Dec 27, 2014 at 7:59
0

Accordind to @Bratchley comments, I managed to make it work by adding the --uid-owner option.

This is the command that I use:

iptables -t nat -A OUTPUT -m owner --uid-owner 1000 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:4000

As the apache server has a specific user, only the traffic from the uid 1000 is redirected.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.