* REDIRECT question
@ 2003-07-11 11:09 Ruslan Spivak
0 siblings, 0 replies; 10+ messages in thread
From: Ruslan Spivak @ 2003-07-11 11:09 UTC (permalink / raw)
To: netfilter
Hello!
Can you help me with the following:
i try to make REDIRECT on my local host -
$IPTABLES -t nat -N REDIRECT_CHAIN
$IPTABLES -t nat -A REDIRECT_CHAIN -p tcp --dport 80 -j REDIRECT
--to-port 7080
$IPTABLES -t nat -A PREROUTING -j REDIRECT_CHAIN
When users in my LAN connect to my host's 80 port they are redirected to
7080 - it's ok. But when i try to do on my host - telnet localhost 80 -
i get connection refused (looks like redirection doesn't work). What
maybe the problem?
Best regards,
Ruslan
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Redirect question
2014-03-22 13:38 Redirect question Danny
@ 2014-03-22 22:32 ` Nikolai Lusan
0 siblings, 0 replies; 10+ messages in thread
From: Nikolai Lusan @ 2014-03-22 22:32 UTC (permalink / raw)
To: Danny; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 723 bytes --]
On Sat, 2014-03-22 at 15:38 +0200, Danny wrote:
> However, all internal clients can still connect to the internet if I do not tell
> them to go through the proxy.
You need to to a DNAT on the packets before they hit the net.
> How would I go about routing all the local clients to squid's port 3128?
iptables -t NAT - A PREROUTING -p tcp --dport 80 -j DNAT\
--to-destination <squid_IP>:3128
that is the simplest way - you do need to change some of the squid
config though. These days the TPROXY method is preferred though you
should read http://wiki.squid-cache.org/Features/Tproxy4
Also it's worth reading more about DNAT and TPROXY in the man pages.
--
Nikolai Lusan <nikolai@lusan.id.au>
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Redirect question
@ 2014-03-22 13:38 Danny
2014-03-22 22:32 ` Nikolai Lusan
0 siblings, 1 reply; 10+ messages in thread
From: Danny @ 2014-03-22 13:38 UTC (permalink / raw)
To: netfilter
Good day,
My setup is:
wlan0 ----> br0 -----> eth0 =====> router
internal internal internal
10.0.0.5 10.0.0.4 10.0.0.3 10.0.0.2
(apache:80)
(squid:3128)
(iptables)
I am running Debian 7 with a few servers on it. Everything is fine. Squid is
fine if I configure browsers to use the proxy 10.0.0.5:3128.
However, all internal clients can still connect to the internet if I do not tell
them to go through the proxy.
I have a simple iptables setup:
####################################################################################
# Generated by iptables-save v1.4.14 on Sat Mar 22 16:28:57 2014
*nat
:PREROUTING ACCEPT [76:4907]
:INPUT ACCEPT [24:1899]
:OUTPUT ACCEPT [117:9446]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Mon Mar 3 16:28:57 2014
# Generated by iptables-save v1.4.14 on Mon Mar 3 16:28:57 2014
*filter
:INPUT ACCEPT [462:67612]
:FORWARD ACCEPT [112:5720]
:OUTPUT ACCEPT [354:42889]
-A FORWARD -s 10.0.0.0/24 -i eth0 -o wlan0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Mar 22 16:28:57 2014
####################################################################################
How would I go about routing all the local clients to squid's port 3128?
I have tried the following, but it doesn't work
-t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
-t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
-t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128
Thank You
Danny
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Redirect Question
2005-03-04 22:59 Redirect Question Gary W. Smith
@ 2005-03-04 23:05 ` Gavin Hamill
0 siblings, 0 replies; 10+ messages in thread
From: Gavin Hamill @ 2005-03-04 23:05 UTC (permalink / raw)
To: netfilter
On Friday 04 March 2005 22:59, Gary W. Smith wrote:
> We have a client moving offices and will need to migrate their DNS (and
> some of their DNS entries) over at some point in time. But for a variety
> of reasons we cannot do that. They have 16 IP's at their current location
> and will get another 16 at their new location.
>
> What we would like to do is to have the firewall rewrite or redirect all
> traffic coming in on two IP's and redirect them to two destination IP's on
> the new firewall.
Here, this should help, since I had to do exactly the same thing, although for
a single IP address (one machine moving co-lo premises)
# Make the firewall act as a non-caching TCP proxy. Useful for machine moves
whilst DNS propogates.
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -d 194.200.209.137 -j DNAT
--to 213.2.4.33
$IPTABLES -A FORWARD -p tcp --dport 80 -d 194.200.209.137 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 80 -d 213.2.4.33 -j SNAT --to
194.200.209.137
In this case the old IP is 194.x.x.x and the new one is 213.x.x.x
All traffic will then appear to come from the machine on the 194.x.x.x network
doing the redirecting...
gdh
^ permalink raw reply [flat|nested] 10+ messages in thread
* Redirect Question
@ 2005-03-04 22:59 Gary W. Smith
2005-03-04 23:05 ` Gavin Hamill
0 siblings, 1 reply; 10+ messages in thread
From: Gary W. Smith @ 2005-03-04 22:59 UTC (permalink / raw)
To: netfilter
We have a client moving offices and will need to migrate their DNS (and some of their DNS entries) over at some point in time. But for a variety of reasons we cannot do that. They have 16 IP's at their current location and will get another 16 at their new location.
What we would like to do is to have the firewall rewrite or redirect all traffic coming in on two IP's and redirect them to two destination IP's on the new firewall.
i.e. they have 205.34.43.1/28 and 206.32.43.1/28. We want all traffic that is currently destined for 205.34.43.2 to go to 206.32.43.2. These are not at the same location.
What is the easiest way to accomplish this? both locations are running RHEL3 and a fairly basic configuration with iptables.
Gary Wayne Smith
^ permalink raw reply [flat|nested] 10+ messages in thread
* RE: REDIRECT question
@ 2003-07-13 21:55 George Vieira
0 siblings, 0 replies; 10+ messages in thread
From: George Vieira @ 2003-07-13 21:55 UTC (permalink / raw)
To: Ruslan Spivak, netfilter
PREROUTING only works for real packets being received from the network and not locally generated packets (localhost). So with localhost, the packets do not leave the wire and come back for PREROUTING to work, I think only INPUT/FORWARD/OUTPUT will receive these localhost packets.
Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au
Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
Phone : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
-----Original Message-----
From: Ruslan Spivak [mailto:alienoid@is.lg.ua]
Sent: Friday, July 11, 2003 9:09 PM
To: netfilter@lists.netfilter.org
Subject: REDIRECT question
Hello!
Can you help me with the following:
i try to make REDIRECT on my local host -
$IPTABLES -t nat -N REDIRECT_CHAIN
$IPTABLES -t nat -A REDIRECT_CHAIN -p tcp --dport 80 -j REDIRECT
--to-port 7080
$IPTABLES -t nat -A PREROUTING -j REDIRECT_CHAIN
When users in my LAN connect to my host's 80 port they are redirected to
7080 - it's ok. But when i try to do on my host - telnet localhost 80 -
i get connection refused (looks like redirection doesn't work). What
maybe the problem?
Best regards,
Ruslan
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: REDIRECT question
[not found] <Pine.LNX.4.44.0307021216100.16552-100000@localhost>
@ 2003-07-02 13:13 ` Ruslan Spivak
0 siblings, 0 replies; 10+ messages in thread
From: Ruslan Spivak @ 2003-07-02 13:13 UTC (permalink / raw)
To: Chris Wilson; +Cc: netfilter
Chris Wilson wrote:
>Hi Ruslan,
>
>
>
>>I just want to be sure that after redirecting, the packet is going to
>>input chain where i can filter it. (am i right?)
>>
>>
>
>As far as I know, that's right.
>
>Cheers, Chris.
>
>
One more question, please.
I have three nets that located in our city and i treat them as local,
cause we have direct connection with that networks.
i need to redirect traffic that is going to outside world to port
3128(squid) and traffic to local nets leave alone.
Following your previous advices, i have made suggestions about how it
should look:
LOCAL_NET_1=193.108.240.0/22
LOCAL_NET_2=193.220.70.32/27
LOCAL_NET_3=193.220.70.64/27
iptables -t nat -N REDIRECT_CHAIN
iptables -t nat -A REDIRECT_CHAIN -p tcp -d $LOCAL_NET_1 --dport 80 -j
RETURN
iptables -t nat -A REDIRECT_CHAIN -p tcp -d $LOCAL_NET_2 --dport 80 -j
RETURN
iptables -t nat -A REDIRECT_CHAIN -p tcp -d $LOCAL_NET_3 --dport 80 -j
RETURN
iptables -t nat -A REDIRECT_CHAIN -p tcp --dport 80 -j REDIRECT
--to-port 3128
iptables -t nat -A PREROUTING -j REDIRECT_CHAIN
Can you tell me if i'm on on a right way?
Again, thanks in advance.
Best regards,
Ruslan
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: REDIRECT question
2003-07-02 11:01 ` Chris Wilson
@ 2003-07-02 11:14 ` Ruslan Spivak
0 siblings, 0 replies; 10+ messages in thread
From: Ruslan Spivak @ 2003-07-02 11:14 UTC (permalink / raw)
To: Chris Wilson; +Cc: netfilter
Chris Wilson wrote:
>Hi Ruslan,
>
>
>
>>i want make transaparent proxy on localhost and want to disabe access
>>after redirecting to port 3128 if destination address in net other then
>>193.108.240.0/22.
>>Does REDIRECT target send packet to INPUT chain and i should disable
>>access in INPUT chain or should i disable access in '-t nat -A
>>POSTROUTING' chain?
>>
>>
>
>You will not be able to disable access in the POSTROUTING chain, since
>after reading the REDIRECT rule, no further rules in that chain are
>processed. In any case, it is not recommended to filter in the nat table.
>The best place to put your filtering rule is in the INPUT chain.
>
>Cheers, Chris.
>
Hello, Chris.
I just want to be sure that after redirecting, the packet is going to
input chain where i can filter it. (am i right?)
Thanks for your reply.
Best regards,
Ruslan
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: REDIRECT question
2003-07-02 10:56 Ruslan Spivak
@ 2003-07-02 11:01 ` Chris Wilson
2003-07-02 11:14 ` Ruslan Spivak
0 siblings, 1 reply; 10+ messages in thread
From: Chris Wilson @ 2003-07-02 11:01 UTC (permalink / raw)
To: Ruslan Spivak; +Cc: netfilter
Hi Ruslan,
> i want make transaparent proxy on localhost and want to disabe access
> after redirecting to port 3128 if destination address in net other then
> 193.108.240.0/22.
> Does REDIRECT target send packet to INPUT chain and i should disable
> access in INPUT chain or should i disable access in '-t nat -A
> POSTROUTING' chain?
You will not be able to disable access in the POSTROUTING chain, since
after reading the REDIRECT rule, no further rules in that chain are
processed. In any case, it is not recommended to filter in the nat table.
The best place to put your filtering rule is in the INPUT chain.
Cheers, Chris.
--
___ __ _
/ __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
^ permalink raw reply [flat|nested] 10+ messages in thread
* REDIRECT question
@ 2003-07-02 10:56 Ruslan Spivak
2003-07-02 11:01 ` Chris Wilson
0 siblings, 1 reply; 10+ messages in thread
From: Ruslan Spivak @ 2003-07-02 10:56 UTC (permalink / raw)
To: netfilter
Hello, netfilter users.
i want make transaparent proxy on localhost and want to disabe access
after redirecting to port 3128 if destination address in net other then
193.108.240.0/22.
Does REDIRECT target send packet to INPUT chain and i should disable
access in INPUT chain or should i disable access in '-t nat -A
POSTROUTING' chain?
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
Thanks in advance. Your help is very, very appreciated.
Best regards,
Ruslan
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-03-22 22:32 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-11 11:09 REDIRECT question Ruslan Spivak
-- strict thread matches above, loose matches on Subject: below --
2014-03-22 13:38 Redirect question Danny
2014-03-22 22:32 ` Nikolai Lusan
2005-03-04 22:59 Redirect Question Gary W. Smith
2005-03-04 23:05 ` Gavin Hamill
2003-07-13 21:55 REDIRECT question George Vieira
[not found] <Pine.LNX.4.44.0307021216100.16552-100000@localhost>
2003-07-02 13:13 ` Ruslan Spivak
2003-07-02 10:56 Ruslan Spivak
2003-07-02 11:01 ` Chris Wilson
2003-07-02 11:14 ` Ruslan Spivak
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.