Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I hope some1 is willing so help me solve this issue i have.
I installed Ubuntu 10.04 with Squid as transparent proxy.
Also put DNS and DHCP on that same machine.
The install as described above is working perfect.
But when I want to reach IP-cam (port 4580) from external, it doesn't work.
The NAT entry is already exists in the router (gateway)!
The firewall isn't on (for testing purposes)
I'm guessing it has something to do with the 2 NIC's and iptables.
I cant figure out what is wrong or completly understand iptables.
Hope somebody can assist me. (sorry for my bad english)
The script is run for configure the network is as following:
Code:
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
#iptables -A FORWARD -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i $LAN_IN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -j DROP
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -i $INTERNET -p tcp --dport 4580 -j ACCEPT
iptables -A INPUT -i $INTERNET -p icmp -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
...accepts traffic from the Internet to tcp port 4580 of your firewall. However, that isn't what you want. According to your diagram, the IP cam is an internal host with an internal IP address (192.168.1.2), so you'll need to DNAT the port:
Isn't this rule for routing the traffic back to the internal squid port for browsing ?
"# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT"
The rule says "take any incoming traffic from the Internet to port 80 of the firewall, and redirect it to $SQUID_PORT". That and the corresponding INPUT rule (iptables -A INPUT -i $INTERNET -p tcp --dport 4580 -j ACCEPT) opens up your proxy server for anyone connecting to port 80.
Unless you limit access in squid.conf, anyone could use your proxy to browse internet sites or even sites on your internal network.
Is there any particular reason why you want the proxy server to be accessible from the outside?
When i run the iptables script, like I changed as written above :
Quote:
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# set NAT
iptables -A PREROUTING -i $INTERNET -p tcp --dport 4580 -j DNAT --to-destination 192.168.1.2:4580
iptables -A FORWARD -i $INTERNET -d 192.168.1.2 -p tcp --dport 4580 -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -i $INTERNET -p icmp -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
I'll get the following: iptables: No chain/target/match by that name.
No error shown if I dash out the following newly edited lines as you told me: #iptables -A PREROUTING -i $INTERNET -p tcp --dport 4580 -j DNAT --to-destination 192.168.1.2:4580 #iptables -A FORWARD -i $INTERNET -d 192.168.1.2 -p tcp --dport 4580 -j ACCEPT
When the command is executed in shell directly it's telling me:
Without a -t parameter, iptables defaults to the filter table.
As for the second error, the problem is that you're running the command from the shell without first defining the $INTERNET variable. It should work fine in the script.
Without a -t parameter, iptables defaults to the filter table.
As for the second error, the problem is that you're running the command from the shell without first defining the $INTERNET variable. It should work fine in the script.
I am also trying to setup an Ubuntu Squid Transparent Proxy server using Intel Pro/1000 MT Dual Network Adapter Card. I am having problems configuring IP Address for eth0 and eth1. I cant get my clients to work. Please provide a better guide..
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.