LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-07-2004, 02:01 AM   #1
seitan
LQ Newbie
 
Registered: Nov 2004
Posts: 7

Rep: Reputation: 0
Iptables+transparent Proxy


Hello forums,
I have a folowing question:
I've tried to make a iptables script with such rules (this is just a simple exaple for 2 clients):
user from ip 192.168.0.44 will connect through gateway
user from ip 192.168.0.149 will connect through proxy (192.168.0.2)

Here's a script:

#!/bin/sh
# flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#through proxy
iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.0.2 -p tcp --dport 80 -j DNAT --to 192.168.0.2:8080
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.149 -d 192.168.0.2 -j SNAT --to 192.168.0.1
iptables -A FORWARD -s 192.168.0.149 -d 192.168.0.2 -i eth0 -o eth0 -p tcp --dport 8080 -j ACCEPT

#through gateway
iptables -t nat -A POSTROUTING -s 192.168.0.44 -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i eth0 -s 192.168.0.44
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#ssh
iptables -A INPUT -j ACCEPT -p tcp --dport 22

echo 1 > /proc/sys/net/ipv4/ip_forward



But the problem is that they both are pushed through proxy.
I'm not an iptables guru, and as far as I can figure out, theres a problem
with "iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.0.2 -p tcp --dport 80 -j DNAT --to 192.168.0.2:8080"
but i cannot find any solution.
Thank you for your ideas.
 
Old 12-07-2004, 12:36 PM   #2
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
Re: Iptables+transparent Proxy

hello

im confused. can u explain your network? i need to know your network configuration (especially subnets) to suggest some iptables rules.
btw why dont u run proxy on gateway box?
 
Old 12-13-2004, 01:14 AM   #3
seitan
LQ Newbie
 
Registered: Nov 2004
Posts: 7

Original Poster
Rep: Reputation: 0
OK, my network looks like this:
1)linux gateway 192.168.0.1
2)FreeBSD procy server 192.168.0.2

I want all users from network 192.168.0.0/24 to be filtered by proxy (just http port), but there is one client (lets say 192.168.0.30), that i do not want to be filtered - it's http requests must be routed trough gateway, not proxy.

Proxy server is run on different box because gateway is old 486 box, an i needed content filtering, so proxy server is more powerfull.
 
Old 12-13-2004, 02:07 AM   #4
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
i see. your proxy and local clients are in same network. i hope it doesnt cause any trouble. maybe DNAT rule wont work.

u can try following rules:
Code:
iptables -F 
iptables -F -t nat
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.168.0.30 -j ACCEPT
iptables -A FORWRAD -i eth0 -s 192.168.0.2 -j ACCEPT
iptables -A FORWARD -d 192.168.0.2 -s 192.168.0.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.0.30 -p tcp --dport 80 -j DNAT --to 192.168.0.2:8080
iptables -t nat -A POSTROUTING -o eth1(external) -j MASQUERADE
good luck.
 
Old 12-13-2004, 03:56 AM   #5
seitan
LQ Newbie
 
Registered: Nov 2004
Posts: 7

Original Poster
Rep: Reputation: 0
Thank for reply.
But this does not work - .30 adress is routed via gateway, as it needs to be,
but the rest of clients are not pushed throug proxy.
 
Old 12-13-2004, 05:22 AM   #6
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
sorry, i think the trouble is the PREROUTING rule that i suggest u. i made a mistake

because it doesnt let your porxy server to connect external server via http. it redirects back to proxy. so it doesnt work.

can u configure proxy server to let your ip to reach http without filters ? because i dont know how to create a PREROUTING rule that can do. i can use only one "!" so, i cannot define opposite of two IPs in one PREROUTING rule.

change that PREROUTING rule
iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.0.2 -p tcp --dport 80 -j SNAT --to 192.168.0.2:8080

btw: all of clients will be able reach http port trou proxy. all of other connections will be blocked by gateway. only your ip can reach internet via full ports. if u want to allow a client to connect specific port, add a FORWARD rule like this:
iptables -A FORWARD -i eth0 -s $ip_of_that_client -p $protokol --dport $dport_no -j ACCEPT

good luck.
 
Old 12-13-2004, 05:59 AM   #7
seitan
LQ Newbie
 
Registered: Nov 2004
Posts: 7

Original Poster
Rep: Reputation: 0
So it is impossible to make such rule? - i need to findout how to do this on proxy server side?
 
Old 12-13-2004, 06:17 AM   #8
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
i didnt mean "it is impossible"
beacuse nothing is imposible if u have a linux

if u have less clients, i think u can do that with following rules :
do not create rules for your and proxy server ip.

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -s $client1_ip -j SNAT --to 192.168.0.2:8080
iptables -A PREROUTING -i eth0 -p tcp --dport 80 -s $client2_ip -j SNAT --to 192.168.0.2:8080
...
...

maybe there are other ways to do that with iptables.


but it is better idea to allow your ip on proxy side. if u have squid, i think i can help u.

good luck.
 
Old 12-13-2004, 07:21 AM   #9
seitan
LQ Newbie
 
Registered: Nov 2004
Posts: 7

Original Poster
Rep: Reputation: 0
the main problem is one clinet which uses some old software, which works wit HTTP/1.0 protocol, - as far as realised on my configuration,
only HTTP/1.1 requests are serverd correct. so there's a problem.
If i could get HTTP/1.0 requests to be handled correctly, I've could pass entire subnet via proxy, without thinking a way-around with iptables rules.
 
Old 12-13-2004, 07:57 AM   #10
Demonbane
Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
see if this helps:
http://www.bitesizeinc.net/index.php...sparentProxy.5
 
Old 12-13-2004, 08:19 AM   #11
seitan
LQ Newbie
 
Registered: Nov 2004
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by Demonbane
see if this helps:
http://www.bitesizeinc.net/index.php...sparentProxy.5
Hmm, on FreeBSD box?
 
Old 12-13-2004, 08:42 PM   #12
metalick
Member
 
Registered: Apr 2004
Location: Zagreb, Croatia
Distribution: SuSE 9.0
Posts: 44

Rep: Reputation: 15
So linux and freebsd are both visible from the clients?
I mean is linux between freebsd and the lan, or everyone can "see" everyone?
if that is the case why don't you put as GW the FreeBSD machine on the .30 client?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to transparent proxy depam Linux - Software 3 12-30-2005 12:33 PM
Transparent Proxy krock923 Linux - Networking 1 04-28-2005 06:43 PM
Iptables mac-match VS. transparent proxy mchanea Linux - Security 4 12-22-2004 06:42 AM
Transparent Proxy ilnli Linux - Networking 3 10-18-2004 06:01 PM
Transparent Proxy vinhhv Linux - Networking 0 07-23-2003 01:01 AM


All times are GMT -5. The time now is 09:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration