iptables squid port redirection

I have recently installed openSuSE 12.3 with two NICs to be used as External and Internal zones. I wished to use the Box as a proxy (squid). I have written acls in the squid.conf.
The problem is how to add the following 2 lines
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
where to add them and how to make it work.
Please help I have tried a lot but unable. Iptables-save works but iptables-restore get hangs.
I tried to change in the /sbin/SuSEfirewall2, no luck
I didnt get how that can be added through yast-firewall.

Best Regards,

The openSUSE script is quite well documented - you should have a look at it:


Please try and use CODE tags around commands.

Second, I would not mix self build firewall rules with the ones set through the openSUSE script’s one (SuSEFirewall2) - you risk getting your rules deleted when services will restart. Instead use the “custom rules” location.

So, what you try to achieve is possible by adding your own changes in the “custom rules” file (I do not remember it’s location now but I am sure it’s written in the script - see the second link below - there is a picture with “custom rules” in YaST) or… you can use the script’s built-in ‘redirect’ feature:


meaning: the network sending requests through this machine to the “world” (0/0), on tcp port 80, will be redirected to this machine on port 3128

See more about it: Chapter

More about the firewall: openSUSE 12.3: Chapter 13. Masquerading and Firewalls

Cheers and good luck

I don’t see the logic for

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

why would you redirect the firewall’s / server http request to the proxy? (I assume eth0 is the EXTERNAL interface)

Thank you!!


helped me to redirect to the squid. However, im wondering with a strange problem, that is, the squid blocks all the sites even the

#http_access deny all

is commented , and

http_access allow all

is without comment.
Tried many times, restarting squid after every changes i made, but no luck. Why this happens??
My squid.conf is like this:


http_access allow all

# acl block src "/etc/squid/acls/blocked_sites.acls"

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet

# Allow localhost always proxy functionality
http_access allow localhost

# And finally deny all other access to this proxy
# http_access deny block
# http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir aufs /var/cache/squid 100 16 256

best Regards,

After adding transparent in http_port 3128, as below, the requests redirects through proxy.

# Squid normally listens to port 3128
http_port 3128 transparent

I want to block some sites defined in /etc/squid/acls/blocked_sites.acl file

acl block src "/etc/squid/acls/blocked_sites.acl"
http_access deny block

The web sites defined in the file are not blocked.


Where and how to define them in squid.conf? Please Help


First, I didn’t check your previous post so I do not know why adding transparent did help - double check that your proxy is NOT open wide since you will be prone to abuse (this unless you want to configure a proxy for internet users of course).

Second, please read again the docs you read already and the link I gave you and be sure you understand what your are doing. :slight_smile:

Third, your rule does not work because you defined your ACL as source (“src”) and you actually want to block the destination (“dst”). - I think it’s actually dstdomain :):

acl my_denied_domains dstdomain "//etc/squid/myacls/denied_domains.acl"

http_access deny my_denied_domains

then in:

>less /etc/squid/myacls/denied_domains.acl

you should have your:


As about the position: please read again the link doc I gave you - there is a paragraph there telling you where to put your rules “for the sake of readability” IIRC.

I wouldn’t go that way too much because it’s a **** hard work, instead I would suggest you have a look at squidGuard or other redirector and find some good block lists: Blacklists UT1 or use some paid ones.

Cheers and good luck.