iptables redirect

sanjibgupta · 05-08-2007, 02:56 AM

Hi
I have 3 lan cards in my system(redhat enterprise3.0). I am runing secure squid. which runs perfect when i change the LAN setting to proxy server (192.168.50.1 port 3128). But when i try to do it through iptables it doesnot not. If the changes try to do it it searchs for
/questions/newthread.php?do=newthread&f=3
instead of
http://www.linuxquestions.org/questi...=newthread&f=3

What should i do so that all trafic through this server passes through the squid port.

I am attaching the iptables script.
Sanjib gupta

# more iptables
# Generated by iptables-save v1.2.7a on Mon Apr 30 15:08:01 2007
*nat
:PREROUTING ACCEPT [163:15266]
:POSTROUTING ACCEPT [13:780]
:OUTPUT ACCEPT [13:780]
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 202.141.xxx.27:80
-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 202.141.xxx.26:443
-A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
-A POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 202.141.148.24/28 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Apr 30 15:08:01 2007
# Generated by iptables-save v1.2.7a on Mon Apr 30 15:08:01 2007
*mangle
:PREROUTING ACCEPT [899:63753]
:INPUT ACCEPT [741:48753]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [683:50009]
:POSTROUTING ACCEPT [683:50009]
COMMIT
# Completed on Mon Apr 30 15:08:01 2007
# Generated by iptables-save v1.2.7a on Mon Apr 30 15:08:01 2007
*filter
:INPUT ACCEPT [741:48753]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [683:50009]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -s 203.197.xxx.0/28 -d 0/0 -p all -j ACCEPT
-A INPUT -i eth1 -s 202.141.xxx.24/29 -d 0/0 -p all -j ACCEPT
-A INPUT -i eth2 -s 192.168.50.0/24 -d 0/0 -p all -j ACCEPT
-A FORWARD -i eth2 -s 192.168.50.0/24 -d 202.141.xxx.24/29 -p all -j ACCEPT
-A FORWARD -i eth1 -p tcp -s 202.141.xxx.24/255.255.255.240 --dport 80 -j ACCEPT
-A FORWARD -i eth1 -p tcp -s 202.141.xxx.26/255.255.255.255 --dport smtp -j ACCEPT
-A FORWARD -i eth1 -p tcp -s 202.141.xxx.24/255.255.255.240 --dport 53 -j ACCEPT
-A FORWARD -i eth1 -p udp -s 202.141.xxx.24/255.255.255.240 --dport 53 -j ACCEPT
COMMIT
# Completed on Mon Apr 30 15:08:01 2007

maxut · 05-10-2007, 04:15 AM

as i see u want to use squid as transparent proxy. u should add some lines in squid.conf :

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

good luck

sanjibgupta · 05-17-2007, 01:41 AM

Thanks transperent is working (seen the entries in /var/squid/access.log).
But now the problem is that it is not asking me for the username and password. But if I manually use from the explorer properties it is asking for it and letting me enter with the passwod.

Sanjib Gupta

sanjibgupta · 05-18-2007, 03:16 AM

Can any one help this problem out.
I want my users to get authenticated before getting to internet but if the i donot manually put the proxy on from the browser it is not asking for the password otherwise not.

THis is the ouput in the access.log file
when i use the port 3128 from the browser

1179475838.845 409 192.168.50.20 TCP_MISS/200 4645 GET http://pagead2.googlesyndication.com/pagead/ads? sanjib DIRECT/209.85.143.166 text/html

when i dont put the proxy server on

1179475838.862 312 192.168.50.20 TCP_MISS/200 404 GET http://www.google-analytics.com/__utm.gif? sanjib DIRECT/209.85.167.104 image/gif

Sanjib gupta