Find the answer to your Linux question:
Results 1 to 4 of 4
Hello forums, I have a folowing question: i have 2 boxes: 1)linux gateway -192.168.0.1 2)bsd squid proxy -192.168.0.2 i forward all incomming connections to 80 port from local users to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 12-03-2004 #1
    seitan
    seitan is offline
    Just Joined!
    Join Date
    Jul 2003
    Posts
    9

    iptables+transparent proxy

    Hello forums,
    I have a folowing question:
    i have 2 boxes:
    1)linux gateway -192.168.0.1
    2)bsd squid proxy -192.168.0.2
    i forward all incomming connections to 80 port from local users to squid proxy server with rules:

    iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.0.2 -p tcp --dport 80 -j DNAT --to 192.168.0.2:8080
    iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d 192.168.0.2 -j SNAT --to 192.168.0.1
    iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.2 -i eth0 -o eth0 -p tcp --dport 8080 -j ACCEPT

    Connections to other services (ftp, pop3, etc) are handled by gateway.
    Everything works fine.
    But now I want one client (lets say 192.168.0.3) to connect straight through gateway, while all other clients form 192.168.0.0 network to be pushed through proxy as were before.
    Can anyone think of solution for this?
    Thank you.
    Reply With Quote Reply With Quote
  2. 12-03-2004 #2
    sarumont
    sarumont is offline
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    You could specify a range of IPs that you allow to access the internet without proxy (as well as ranges to access with proxy) and just use ranges vs. the whole subnet in your matching.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy
    Reply With Quote Reply With Quote
  3. 12-06-2004 #3
    seitan
    seitan is offline
    Just Joined!
    Join Date
    Jul 2003
    Posts
    9
    I've tried to make a iptables script with such rules:
    user from ip 192.168.0.44 will connect through gateway
    user from ip 192.168.0.149 will connect through proxy (192.168.0.2)

    Here's a script:
    Code:
    #!/bin/sh
# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#through proxy
iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.0.2 -p tcp --dport 80 -j DNAT --to 192.168.0.2:8080
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.149 -d 192.168.0.2 -j SNAT --to 192.168.0.1
iptables -A FORWARD -s 192.168.0.149 -d 192.168.0.2 -i eth0 -o eth0 -p tcp --dport 8080 -j ACCEPT

#through gateway
iptables -t nat -A POSTROUTING -s 192.168.0.44 -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i eth0 -s 192.168.0.44
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#ssh
iptables -A INPUT -j ACCEPT -p tcp --dport 22

echo 1 > /proc/sys/net/ipv4/ip_forward
    But the problem is that they both are pushed through proxy.
    I'm not an iptables guru, and as far as I can figure out, theres a problem
    with "iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.0.2 -p tcp --dport 80 -j DNAT --to 192.168.0.2:8080"
    but i cannot find any solution.
    Thank you for your ideas.
    Reply With Quote Reply With Quote
  4. 12-17-2004 #4
    mchanea
    mchanea is offline
    Just Joined!
    Join Date
    Dec 2004
    Posts
    2

    Try this

    iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.2 -p tcp --dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/24 -p tcp --dport 80 -j DNAT --to 192.168.0.2:8080

    Marcelo Chanea,
    Rio de Janeiro, Brasil.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules