Re: nftables transparent proxy for outbound connections on a server

[Christoph Brinkhaus <c.brinkhaus@t-online.de>]

Am Sun, Dec 11, 2022 at 06:27:53AM +0000 schrieb Andre Rodier:
> Good morning, all.

Good Morning Andre,
> 
> Is there anyone around to help me to setup a transparent proxy on Debian, please ?
> 
> I have tinyproxy running on my server, and I would like, with nftables,
> to intercept any outbound web traffic (tcp ipv4.ipv6),
> and to redirect to the proxy on 127.0.0.1:8888.
> 
> So far, I have seen these examples online:
> 
> > ...
> > chain prerouting {
> >   type nat hook prerouting priority dstnat; policy accept;
> >   tcp dport { 80, 443 } counter dnat ip to 127.0.0.1:8888
> >   tcp dport { 80, 443 } counter dnat ip6 to [::1]:8888
> > }
> > ...
> 
> Or sometimes, I see using redirect or even tproxy

If you want to interecpt encrypted traffic it might be helpful to
study how privoxy is doing that. In the past privoxy has been fine for
filtering http traffic. Nowadays it is extended to https, too. It
needs a self certified key stuff. I have not tried it so far, but it
does decryption of the incomming traffic for filtering and it does
encryption of the filtered traffic to the browser side.
> 
> What is the best nftables approach, please ?
> 
> Can you copy and paste what you are using ?

Unfortunately I have no idea about that approaches.

Kind regards,
Christoph