Iptables to allow outgoing from docker container, redirect everything else

Hi all,

I am currently trying to set up a docker squid container as a transparent proxy on my local machine. I am very close but I think I am missing one additional rule to prevent the issue I am seeing.

On squid I am exposing ports 3129 and 3130 as the intercept ports for http and https, respectively. I have the following iptables rules on my host:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-port 3130

This mostly works, except that it seems the outgoing traffic from docker gets redirected as well, causing a forwarding loop. What I want is any traffic originating from my local machine gets redirected to the squid proxy, and anything coming from my docker container gets accepted. Hence the need for the additional rule. The problem is, I am not that familiar with how docker networking works, and from looking at wireshark, it is still not that clear to me.

Anyone know how I might go about doing this?


Is there a reason why you dont just map the ports the docker way?
docker run … -p 80:3129 -p 443:3130 imagename

There is a misunderstanding. I am not wanting to simply expose the ports, I want to redirect outgoing traffic to squid. As in, if I try to access the web from my local machine, it should be forced through the proxy.

Anyways, after some more playing with wireshark I believe I solved the problem… I added a rule to -j ACCEPT any traffic from the source network of the bridge interface. Now the forwarding loop is gone.

Sorry for posting preemptively, this is now solved.

Get BlueMail for Android

Oops, I spoke to soon. The forwarding loop is still happening.

I wonder how I can match traffic that originates from a docker host and is going to the internet.