Privoxy ipv6 redirect rule for the firewall

I have privoxy setup to do some simple forwarding of some domains to an external proxy. It mostly works, but there are some issues caused by ipv6. This is my firewall rule:

config redirect
option src lan
option proto tcp
option src_dport 80
option dest_port 8118
option dest_ip

I think this only forwards ipv4 requests to privoxy, and ipv6 requests go directly out to the network, from my observations. If I disable ipv6 on the router, or use the privoxy proxy explicitly in the browser, things work as expected. The automatic redirection of ipv6 isn't happening from what I can tell.

This seems to be the closest github issue that I found:

Any way to do this directly with ip6tables @jow @hnyman ?

As a workaround, I have forced dnsmasq to only return ipv4 for the problematic domain. That seems more acceptable than disabling ipv6 entirely on the network.

Hey there.

Are you trying to use Privoxy in transparent mode and use DNS to resolve foreign domains to your Privoxy instance?

I wouldn't do that at all. As soon as one of that foreign domains starts using HTTPS, Privoxy would need to run with proper certificates for that foreign domains to make browsers not complain. Which isn't an easy task for most personal network environments.

Better run a wpad config file which tells the browser to use the proxy for some distinct domains and don't use the proxy for others.
Since the decision about using the proxy isn't done by some all mighty network configuration but by the browser itself, the browser's fine with using a HTTP proxy with CONNECT method although it's actually trying to reach some HTTPS destination.
So you make clear to the browser that it's using a proxy and all certificate issues are gone.

I know this is not a direct answer to your question, but I believe it's a better way to do what you actually want.


Yes, I am using privoxy in transparent mode for only http traffic. I am not using DNS to do the filtering. All port 80 traffic goes to privoxy. privoxy then forwards some of it to a parent squid proxy. You are right about the https problem with transparent mode. Luckily, for my use case, I don't have too many domains that that are https, mostly because they are also intentionally left as http to accommodate similar use cases I guess. My use case is that my work network has access to academic journals (for eg. I run a squid proxy on my work network, and run privoxy on my home router. I selectively forward a few domains from privoxy to squid, and it has been working satisfactorily. This was mostly a simple hack. The ipv6 issue is kinda interesting in its own right though. I'm not sure how ipv6 NAT works, and whether it can even be made to work for this. The parent squid proxy doesn't have ipv6 anyway. So that might also create other problems. For now, I'm fine with my kludge. For https, the requests in this setup still work fine; they just don't go through privoxy. So in my case, I would see something like a paywall. That's ok for now, since nothing major that I care about is behind https.