Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 28 subscribers
  • Views 2330 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to do iptables routing in XG Firewall?

Zeneth

As a new user of XG Firewall Home Edition I'm having a hard time understanding where/how to translate and insert the following iptables rules in the UI:

# Route all HTTP traffic to Squid listening on 10.10.10.8:3128
iptables -t nat -I PREROUTING -p tcp --dport y.y.y.y:80 -j DNAT --to 10.10.10.8:3128

# Route all HTTPS traffic to Squid listening on 10.10.10.8:3129
iptables -t nat -I PREROUTING -p tcp --dport y.y.y.y:443 -j DNAT --to 10.10.10.8:3129

My XG Firewall is located at 10.10.10.1 and what I want to do is basically route all HTTP/HTTPS traffic from LAN (10.10.10.0/24) to my Squid proxy listening on 10.10.10.8. I did try using the Upstream Proxy (Routing > Upstream Proxy) but somehow the connection speed dropped significantly and it only worked for HTTP.

Thanks in advance.



This thread was automatically locked due to age.
  • 0 in reply to Zeneth

    H,

    if you want to use the XG proxy by forcing everything through by setting up proxy.pac file to change the browser default port to 3128 (or something else which you can change on the XG) or just use a firewall rule with HTTP/S and tick the proxy box and no other ports.

    Ian

  • 0 in reply to Zeneth

    So you need a SD-WAN Rule, to Route the traffic to the Interface, if needed.

    You need a NAT to translate the Traffic to the destination and change the Port.

    You need a Firewall Rule to allow the translation.

     

    Afterwards you need to verify via tcpdump, that your Traffic will be translated and use the correct interface.

    You could verify this via conntrack as well. 

     

    PS: All matters of request can a XG archive in terms of Web Caching. There would be no need to use a old Proxy technology. 

    The Internet is moving to TLS1.3. 

     

    About Caching:

    https://www.senki.org/transparent-web-caching-dead/

    This is kinda old but still true, talking about TLS1.3 etc.