Running OS 6.2 on a CCR1036-12G-4S box.
I’ve been reading similiar questions to what I need, but not getting prerouting with port forwarding to work.
I need to translate destination port 80 to 8080 with the following configuration. Have done it before, but missing something.
/ip firewall mangle> add chain=prerouting src-address=10.10.1.73/32 action=mark-routing new-routing-mark=Squid passthrough=no
/ip route add dst-address=0.0.0.0/0 gateway=10.10.1.56 routing-mark=Squid
With rules written as is you are forwarding all traffic from the 10.10.1.73/32 to 10.10.1.56. I’m assuming 10.10.1.56 is your squid proxy. What port is squid listening on? Right now your users on the 10.10.1.73/32 subnet are trying to talk to the server with default ports (80) etc. You need to setup a iptables rule on the squid server to redirect all port 80 traffic to 8080. In my example in this post i forwarded port 80 traffic on my squid box to 8080. Your rule would look like this on the squid box:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.1.56:8080
Another thing you may consider is you are forwarding all traffic to the squid box, not just http traffic. Any traffic outside the http scope (tcp port 80) will timeout. The squid box doesn’t know what to do with said traffic unless you have other tables setup accordingly. If you want to simply proxy http traffic here is my suggested config:
/ip firewall mangle add chain=prerouting action=mark new-routing-mark=Squid passthrough=yes protocol=tcp src-address=10.10.1.73/32 dst-port=80 comment="Mark http traffic for proxy"
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.1.56 routing-mark=Squid scope=30 target-scope=10 comment="Route http marked traffic to proxy server"
And dont forget to make a iptables rule on your squid box to redirect the port 80 traffic we just handed off to it to the port squid is listening on
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.1.56:8080
An alternative to this is to switch squid to listen on port 80. If your running a web server on the same box obviously this isn’t a choice. Hope this helps.
Thnaks for the reply. That worked for simple http traffic, but not https. I added a 2nd rule when things did not work:
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 10.10.1.56:8080
This caused ssl string errors on the client. However, if I simply set the proxy manually to port 8080 on a client (without added iptable rules) it works fine for http and https. Is there a way to redirect port 80 and 443 traffic to port 8080, using prerouting, or possibly another way to accomplish the same?