How to direct traffic from router to squid proxy server?

Question

I have three boxes: a Linux client, a OpenWRT router, and a Squid server. I'm trying to get the client (which is connected to the router) web traffic to go through the proxy server without any client configuration.

Using this iptables rule on the router seems to make the client traffic go to the proxy just fine (I can see the request in the access.log):

iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to $PROXY_IP:3128

But the traffic doesn't seem to make it back to the client. I get this error on the client's web browser:

The requested URL could not be retrieved. Invalid URL

It almost looks like the hostname is missing by the time it get's back to the client. Am I missing an iptables rule? On the router or on the proxy server? Or do I need set a route?

My end goal is to have dansguardian running on the proxy server. The router is not powerful enough to run the filter and that is why I have a separate server for that.

Answer 1

Got it to work!

The only iptables rule I needed on the router was:

iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to $PROXY_IP:8080

And the rules I needed on the squid/dansguardian server was:

iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner proxy -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080

After creating those rules, I was able to see the client's traffic in the /var/log/squid3/access.log and /var/log/dansguardian/access.log logs and all of the client's traffic was coming back through just fine (with the web content filtering working perfectly).