Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
10-04-2010, 05:56 AM
#1
Senior Member
Registered: Apr 2007
Location: Bangalore, India
Distribution: RHEL,SuSE,CentOS,Fedora,Ubuntu
Posts: 1,386
Rep:
adding firewalls nat rules
I have a centos5.3 server. I want to configure it as transparent squid proxy server. Internet is connected to eth0(192.168.0.100) and lan is connected to eth1(192.168.200.0/24) and eth1 ip is 192.168.200.1 .
I have configured it as dhcp,squid and its working fine.
Now I want to configure it as a transparent,so that no one has to manually configure in browser.
I just added a line
Code:
http_port 3128 transparent
to make it transparent.
Now while adding nat rules,
Quote:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
Quote:
iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i eth1 -p tcp --dport 3128
Quote:
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp --dport 80
Quote:
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp --sport 80
Quote:
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -o eth1 -p tcp --sport 80
Code:
iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.200.1 -p tcp --dport 80 -j DNAT --to 192.168.200.1:3128
Code:
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.200.0/24 -d 192.168.200.1 -j SNAT --to 192.168.200.1
Code:
iptables -A FORWARD -s 192.168.200.0/24 -d 192.168.200.1 -i eth1 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 3128 -j ACCEPT
Code:
iptables -A FORWARD -d 192.168.200.0/24 -s 192.168.200.1 -i eth1 -o eth1 -m state --state ESTABLISHED,RELATED -p tcp --sport 3128 -j ACCEPT
Internet is totally blocked on eth1.
And after stopping the firewall the internet comes.
Last edited by divyashree; 10-04-2010 at 06:22 AM .
10-04-2010, 06:11 AM
#2
Senior Member
Registered: Feb 2008
Location: Pune - India
Distribution: RHEL/Ubuntu/Debian/Fedora/Centos/K3OS
Posts: 1,159
Rep:
Hi,
Hope this helps you
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
10-04-2010, 06:15 AM
#3
Member
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638
Rep:
Add redirect rule and check.
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Regards,
10-04-2010, 06:44 AM
#4
Senior Member
Registered: Apr 2007
Location: Bangalore, India
Distribution: RHEL,SuSE,CentOS,Fedora,Ubuntu
Posts: 1,386
Original Poster
Rep:
Now packets are coming to 192.168.0.100 but without specifying the port(3128) and IP(192.168.200.1) in Client systems , no packet is coming.
10-04-2010, 06:45 AM
#5
Senior Member
Registered: Feb 2008
Location: Pune - India
Distribution: RHEL/Ubuntu/Debian/Fedora/Centos/K3OS
Posts: 1,159
Rep:
Didn't get, what are you trying to say?
10-04-2010, 07:10 AM
#6
Senior Member
Registered: Apr 2007
Location: Bangalore, India
Distribution: RHEL,SuSE,CentOS,Fedora,Ubuntu
Posts: 1,386
Original Poster
Rep:
Quote:
Originally Posted by
prayag_pjs
Didn't get, what are you trying to say?
I am trying to say, I am adding port and ip in client's browser then only internet packets comes to client which can be amde without adding any rules to iptables.
I want the packets come to client machine without mentioning the port(3128) and ip(192.168.200.1) in the client's browser.
10-04-2010, 07:16 AM
#7
Member
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638
Rep:
10-04-2010, 07:40 AM
#8
Senior Member
Registered: Apr 2007
Location: Bangalore, India
Distribution: RHEL,SuSE,CentOS,Fedora,Ubuntu
Posts: 1,386
Original Poster
Rep:
Quote:
Originally Posted by
sem007
I have already checked this and its not working at all.
10-04-2010, 07:56 AM
#9
Member
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638
Rep:
what is your client's default gateway ?
also post squid config and iptables
Code:
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
# iptables -t nat -L
Regards,
Last edited by sem007; 10-04-2010 at 07:58 AM .
Reason: add command
10-04-2010, 08:04 AM
#10
Senior Member
Registered: Apr 2007
Location: Bangalore, India
Distribution: RHEL,SuSE,CentOS,Fedora,Ubuntu
Posts: 1,386
Original Poster
Rep:
Quote:
Originally Posted by
sem007
what is your client's default gateway ?
also post squid config and iptables
Code:
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
# iptables -t nat -L
Regards,
1st
Code:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl viznet src 192.168.10.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow viznet
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
2nd
Code:
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:http to:192.168.0.100:3128
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
10-04-2010, 08:06 AM
#11
Member
Registered: Aug 2007
Location: INDIA
Distribution: CentOS, RHEL, Fedora, Debian, Ubuntu, LinuxMint, Kali Linux, Raspbian
Posts: 166
Rep:
Are you able to ping any server( ping google.com) from your client?
10-04-2010, 08:09 AM
#12
Senior Member
Registered: Apr 2007
Location: Bangalore, India
Distribution: RHEL,SuSE,CentOS,Fedora,Ubuntu
Posts: 1,386
Original Poster
Rep:
Quote:
Originally Posted by
kaushalpatel1982
Are you able to ping any server( ping google.com) from your client?
No ,
10-04-2010, 08:13 AM
#13
Member
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638
Rep:
where is acl rule and http_access rule for 192.168.200.0 network?
Quote:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
Why you create multiple acl with same name?
Regards,
10-04-2010, 08:43 AM
#14
Senior Member
Registered: Apr 2007
Location: Bangalore, India
Distribution: RHEL,SuSE,CentOS,Fedora,Ubuntu
Posts: 1,386
Original Poster
Rep:
Quote:
Originally Posted by
sem007
where is acl rule and http_access rule for 192.168.200.0 network?
Why you create multiple acl with same name?
Regards,
Sorry that was the output of another linux box.
Quote:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
acl mylan src 192.168.200.0/24
http_access allow mylan
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
And I am using squid version 3 in which the entries are by default.
Last edited by divyashree; 10-04-2010 at 08:45 AM .
10-04-2010, 09:29 AM
#15
Member
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638
Rep:
add both ip in acl rule in squid.conf
Code:
acl mylan src 192.168.0.100 192.168.200.0/24
enable ip forwarding.
Code:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
flush existing firewall and apply new rules.
Code:
#iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -A FORWARD -i eth1 -j ACCEPT
#iptables -A INPUT -i eth1 -j ACCEPT
#iptables -A OUTPUT -o eth1 -j ACCEPT
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.100:3128
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Regards,
All times are GMT -5. The time now is 09:43 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News