Find the answer to your Linux question:
Results 1 to 4 of 4
Hello forums, I have a folowing question: i have 2 boxes: 1)linux gateway -192.168.0.1 2)bsd squid proxy -192.168.0.2 i forward all incomming connections to 80 port from local users to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2003
    Posts
    9

    iptables+transparent proxy


    Hello forums,
    I have a folowing question:
    i have 2 boxes:
    1)linux gateway -192.168.0.1
    2)bsd squid proxy -192.168.0.2
    i forward all incomming connections to 80 port from local users to squid proxy server with rules:

    iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.0.2 -p tcp --dport 80 -j DNAT --to 192.168.0.2:8080
    iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d 192.168.0.2 -j SNAT --to 192.168.0.1
    iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.2 -i eth0 -o eth0 -p tcp --dport 8080 -j ACCEPT

    Connections to other services (ftp, pop3, etc) are handled by gateway.
    Everything works fine.
    But now I want one client (lets say 192.168.0.3) to connect straight through gateway, while all other clients form 192.168.0.0 network to be pushed through proxy as were before.
    Can anyone think of solution for this?
    Thank you.

  2. #2
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    You could specify a range of IPs that you allow to access the internet without proxy (as well as ranges to access with proxy) and just use ranges vs. the whole subnet in your matching.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  3. #3
    Just Joined!
    Join Date
    Jul 2003
    Posts
    9
    I've tried to make a iptables script with such rules:
    user from ip 192.168.0.44 will connect through gateway
    user from ip 192.168.0.149 will connect through proxy (192.168.0.2)

    Here's a script:
    Code:
    #!/bin/sh
    # Flush
    iptables -t nat -F POSTROUTING
    iptables -t nat -F PREROUTING
    iptables -t nat -F OUTPUT
    iptables -F
    
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    
    #through proxy
    iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.0.2 -p tcp --dport 80 -j DNAT --to 192.168.0.2:8080
    iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.149 -d 192.168.0.2 -j SNAT --to 192.168.0.1
    iptables -A FORWARD -s 192.168.0.149 -d 192.168.0.2 -i eth0 -o eth0 -p tcp --dport 8080 -j ACCEPT
    
    #through gateway
    iptables -t nat -A POSTROUTING -s 192.168.0.44 -j MASQUERADE
    iptables -A FORWARD -j ACCEPT -i eth0 -s 192.168.0.44
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #ssh
    iptables -A INPUT -j ACCEPT -p tcp --dport 22
    
    echo 1 > /proc/sys/net/ipv4/ip_forward
    But the problem is that they both are pushed through proxy.
    I'm not an iptables guru, and as far as I can figure out, theres a problem
    with "iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.0.2 -p tcp --dport 80 -j DNAT --to 192.168.0.2:8080"
    but i cannot find any solution.
    Thank you for your ideas.

  4. #4
    Just Joined!
    Join Date
    Dec 2004
    Posts
    2

    Try this

    iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.2 -p tcp --dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/24 -p tcp --dport 80 -j DNAT --to 192.168.0.2:8080

    Marcelo Chanea,
    Rio de Janeiro, Brasil.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •