Hi there

I've got a basic setup where my Linux (Ubuntu) Gateway machine has TinyProxy (transparently) with Dansguardian running on it. All client network traffic gets redirected correctly from port 80 to 8080 but if I VNC into the machine and use firefox it goes directly through port 80 and doesn't get redirected to 8080.

Can anyone please help in that regard?

Thanks.

Can you post the script (or iptables rules) you are already using? Also, I have never used VPN, so I might need a little help with that. So I can see what interface(s) VPN is using, can you also post the output of ifconfig (with no parameters)?

Most likely because the VPN IP is not in the range of the local LAN as defined in your proxy.
e.g. your LAN pool may be different from your VPN pool.

Oh I don't use VPN. I meant when I use VNC to remote desktop into the machine.

Here is the info:
-----

# Generated by iptables-save v1.3.8 on Thu Jan 1 11:29:44 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:INBOUND - [0:0]
:LOG_FILTER - [0:0]
:LSI - [0:0]
:LSO - [0:0]
:OUTBOUND - [0:0]
-A INPUT -i ppp0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -i ib0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -s 196.30.31.193 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 196.30.31.193 -p udp -j ACCEPT
-A INPUT -s 196.7.0.138 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 196.7.0.138 -p udp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m limit --limit 10/sec -j ACCEPT
-A INPUT -d 255.255.255.255 -i ppp0 -j DROP
-A INPUT -s 224.0.0.0/255.0.0.0 -j DROP
-A INPUT -d 224.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 255.255.255.255 -j DROP
-A INPUT -d 0.0.0.0 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -f -m limit --limit 10/min -j LSI
-A INPUT -i ppp0 -j INBOUND
-A INPUT -d 192.168.0.1 -i eth0 -j INBOUND
-A INPUT -d 196.2.106.155 -i eth0 -j INBOUND
-A INPUT -d 192.168.0.255 -i eth0 -j INBOUND
-A INPUT -j LOG_FILTER
-A INPUT -j LOG --log-prefix "Unknown Input" --log-level 6
-A FORWARD -o ppp0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i ppp0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A FORWARD -o ib0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i ib0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A FORWARD -p icmp -m limit --limit 10/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -j OUTBOUND
-A FORWARD -d 192.168.0.0/255.255.255.0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.255.0 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG_FILTER
-A FORWARD -j LOG --log-prefix "Unknown Forward" --log-level 6
-A OUTPUT -o ppp0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A OUTPUT -o ib0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A OUTPUT -d 196.30.31.193 -o ppp0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 196.30.31.193 -o ppp0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 196.7.0.138 -o ppp0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 196.7.0.138 -o ppp0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 224.0.0.0/255.0.0.0 -j DROP
-A OUTPUT -d 224.0.0.0/255.0.0.0 -j DROP
-A OUTPUT -s 255.255.255.255 -j DROP
-A OUTPUT -d 0.0.0.0 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o ppp0 -j OUTBOUND
-A OUTPUT -o eth0 -j OUTBOUND
-A OUTPUT -j LOG_FILTER
-A OUTPUT -j LOG --log-prefix "Unknown Output" --log-level 6
-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -i eth0 -p tcp -m tcp --dport 137:139 -j ACCEPT
-A INBOUND -i eth0 -p udp -m udp --dport 137:139 -j ACCEPT
-A INBOUND -i eth0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INBOUND -i eth0 -p udp -m udp --dport 445 -j ACCEPT
-A INBOUND -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INBOUND -i eth0 -p udp -m udp --dport 80 -j ACCEPT
-A INBOUND -i eth0 -p tcp -m tcp --dport 67:68 -j ACCEPT
-A INBOUND -i eth0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INBOUND -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INBOUND -i eth0 -p udp -m udp --dport 443 -j ACCEPT
-A INBOUND -i eth0 -p tcp -m tcp --dport 5900:5901 -j ACCEPT
-A INBOUND -i eth0 -p udp -m udp --dport 5900:5901 -j ACCEPT
-A INBOUND -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INBOUND -i eth0 -p udp -m udp --dport 22 -j ACCEPT
-A INBOUND -i eth0 -p tcp -m tcp --dport 20:21 -j ACCEPT
-A INBOUND -i eth0 -p udp -m udp --dport 20:21 -j ACCEPT
-A INBOUND -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT
-A INBOUND -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INBOUND -i eth0 -p udp -m udp --dport 8080 -j ACCEPT
-A INBOUND -i eth0 -p tcp -m tcp --dport 16007 -j ACCEPT
-A INBOUND -i eth0 -p udp -m udp --dport 16007 -j ACCEPT
-A INBOUND -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INBOUND -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INBOUND -j LSI
-A LSI -j LOG_FILTER
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A LSI -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p icmp -m icmp --icmp-type 8 -j DROP
-A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -j DROP
-A LSO -j LOG_FILTER
-A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6
-A LSO -j REJECT --reject-with icmp-port-unreachable
-A OUTBOUND -p icmp -j ACCEPT
-A OUTBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTBOUND -o ppp0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTBOUND -o ppp0 -p udp -m udp --dport 80 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTBOUND -o ppp0 -p udp -m udp --dport 443 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 20:21 -j ACCEPT
-A OUTBOUND -o ppp0 -p udp -m udp --dport 20:21 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTBOUND -o ppp0 -p udp -m udp --dport 143 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 123 -j ACCEPT
-A OUTBOUND -o ppp0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTBOUND -o ppp0 -p udp -m udp --dport 110 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTBOUND -o ppp0 -p udp -m udp --dport 25 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTBOUND -o ppp0 -p udp -m udp --dport 578 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 578 -j ACCEPT
-A OUTBOUND -o ppp0 -p udp -m udp --dport 995 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 995 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 5900:5901 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTBOUND -o ppp0 -p udp -m udp --dport 5900:5901 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 25999 -j ACCEPT
-A OUTBOUND -o ppp0 -p udp -m udp --dport 25999 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 6112 -j ACCEPT
-A OUTBOUND -o ppp0 -p udp -m udp --dport 6112 -j ACCEPT
-A OUTBOUND -o ppp0 -p tcp -m tcp --dport 6346 -j ACCEPT
-A OUTBOUND -o ppp0 -p udp -m udp --dport 6346 -j ACCEPT
-A OUTBOUND -j LSO
COMMIT
# Completed on Thu Jan 1 11:29:44 2009
# Generated by iptables-save v1.3.8 on Thu Jan 1 11:29:44 2009
*mangle
:PREROUTING ACCEPT [19643:9862212]
:INPUT ACCEPT [19587:9854934]
:FORWARD ACCEPT [56:7278]
:OUTPUT ACCEPT [20324:10084441]
:POSTROUTING ACCEPT [20371:10091109]
COMMIT
# Completed on Thu Jan 1 11:29:44 2009
# Generated by iptables-save v1.3.8 on Thu Jan 1 11:29:44 2009
*nat
:PREROUTING ACCEPT [17:943]
:POSTROUTING ACCEPT [373:22691]
:OUTPUT ACCEPT [661:40809]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Thu Jan 1 11:29:44 2009

My apologies to you and cheapscotchron. I was getting this thread confused with another one.

So is Firefox actually running on this machine? If so, you need the rule (in addition to the PREROUTING rule):

When I was doing a similar REDIRECT (different port) from the (nat) OUTPUT chain recently, I found the packets were appearing on one of my ethernet interfaces (according to iptables' LOG function) with both souce and destinations addresses of 127.0.0.1. Accepting all packets on the loopback interface did not accept these packets. So, since you have a DROP policy on the (netfilter) OUTPUT chain, you might need a rule something like:

I don't recall having an analogous problem on the INPUT chain, but if you find that your packets get lost, you might investigate whether you need a corresponding rule there also.


If I've still misunderstood the situation, post back with more info and I'll take another shot at it.

So did you ever get it working?

The reason I ask is as follows:

I have successfully used something analogous to what I last posted on a 2.4 kernel. But I recently tried the same thing on a 2.6.17 kernel and I ran into problems. I finally ended up using a rather ugly kludge to do what I wanted. It seems I (somewhat) recently read about some problem finally (after years of being "broken") getting fixed in the kernel and I believe it had something to do with DNAT or REDIRECT. At the time I didn't know what the article was talking about, but I am now wondering whether it was this problem.

Hey BlackHole!

Thanks for your help.
Sorry for the late reply.
I will try to test it out.

Hi there

I tried the above and it didn't work because I forgot to mention that I have a proxy running on that machine.
So here I have a slight issue, right?
I want to block Firefox on port 80 on the gateway but allow Tinyproxy to connect directly with port 80.
The network-part is working fine.

If it is not possible, I'll just uninstall all browsers on the gateway.

Well dugh. Of course you are running a proxy on that machine! That's why you want to DNAT/REDIRECT. Sometimes I do miss the obvious! :-/

All you need to do is exempt Tinyproxy from that rule. If Tinyproxy has its own owner (I'll assume named tinyproxy) then you can:

You can also filter on --gid-owner. You are supposed to be able to filter on --pid-owner, --sid-owner, and --cmd-owner (the name of the command), but the last I knew those are broken on SMP. --cmd-owner probably isn't a good idea anyway if you have untrusted users on that system since the command name can be spoofed.


I gather you didn't have the problems I mentioned in post #6? For my own information, could you let me know what version kernel you are running?

Hey man thanks for your reply.

To be honest, I didn't know that IPtables could exempt processes so this is new to me!
The kernel version I am running is the same one found on the XUbuntu 8.04 release. I haven't updated it. I think its 2.6.24 or something like that, need to make 100% as I am replying from work at the moment.

Thanks so much for your effort in helping me with this small thing!
God Bless!

Hi again.

The Kernel I am running on is: 2.6.24-16-generic

Hi BlackHole!

I finally got it to work! That trick of yours did work, but I had to add 1 extra line:

iptables -A OUTPUT -o ppp0 -d 127.0.0.1 -p tcp --dport 8080 -j ACCEPT

Thanks so much for your help man!