Setting Up a User Defined Redirect IPtable Chain
Hi All,
I have setup my Ubuntu Linux 8.04.1 server to be my gateway router. This server is using public IP addresses on both the WAN and LAN interfaces. This means I AM NOT USING NAT. Therefore, my question is, how do I redirect http (port 80) traffic from the LAN interface to pass through the Squid port, before going out to the WAN interface since I am not using the NAT IPTable? I am only using the Filter IPTable for my firewall rules. I have read about creating a user-defined REDIRECT chain. Is that possible to do under the Filter IPTable. If so, how do I do that? Thanks in advance. Frank |
Quote:
Quote:
Code:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 Code:
iptables -A FORWARD -i eth1 -p tcp --dport 3128 -j ACCEPT |
Hi Osor,
Thanks for your help so far. I tried the two code statements. Right after running it, it seemed as if it worked because the squid access.log showed some lines as if squid worked for a few moments and then stopped. I noticed that after I ran the two commands, I could not see them in the iptables-save file. Do they get saved somewhere else? Find below a copy of my iptables-save file. You were right that my eth0 is the WAN interface, and eth1 is the LAN interface and that these two interfaces are on two separate public IP subnets. # Generated by iptables-save v1.3.8 on Thu May 7 21:53:15 2009 *nat :PREROUTING ACCEPT [59:5528] :POSTROUTING ACCEPT [54:5441] :OUTPUT ACCEPT [7:925] COMMIT # Completed on Thu May 7 21:53:15 2009 # Generated by iptables-save v1.3.8 on Thu May 7 21:53:15 2009 *mangle :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Thu May 7 21:53:15 2009 # Generated by iptables-save v1.3.8 on Thu May 7 21:53:15 2009 *filter :FORWARD ACCEPT [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] # Accept traffic from internal interfaces -A INPUT ! -i selected -j ACCEPT # Accept traffic with the ACK flag set -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT # Allow incoming data that is part of a connection we established -A INPUT -m state --state ESTABLISHED -j ACCEPT # Allow data that is related to existing connections -A INPUT -m state --state RELATED -j ACCEPT # Accept responses to DNS queries -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT # Accept responses to our pings -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT # Accept notifications of unreachable hosts -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT # Accept notifications to reduce sending speed -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT # Accept notifications of lost packets -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT # Accept notifications of protocol problems -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT # Allow connections to our SSH server -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # Allow connections to our IDENT server -A INPUT -p tcp -m tcp --dport auth -j ACCEPT # Respond to pings -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT # Allow DNS zone transfers -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT # Allow DNS queries -A INPUT -p udp -m udp --dport 53 -j ACCEPT # Allow SSL connections to webserver -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # Allow connections to mail server -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 25,587 # Allow connections to FTP server -A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT # Allow connections to POP3 server -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 110,995 # Allow connections to IMAP server -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 143,220,993 # Allow connections to Webmin -A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT # Allow connections to Usermin -A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT COMMIT # Completed on Thu May 7 21:53:15 2009 |
Quote:
Quote:
Judging by the timestamp of the output you gave me (four days ago), it looks to be just the file (unless your system clock is off). The output of the command might be more accurate. As for why your setup stopped working, there could be a few reasons. Did you properly configure squid to listen as a transparent proxy? Did you put the correct ip ranges in http_access allow? Maybe ubuntu server has a cronjob which periodically restores the startup iptables (I am unfamiliar with the specifics of ubuntu to know). Did you notice any other new log output (e.g., cache.log or store.log)? Also, judging by the output you gave me, the FORWARD chain already has an ACCEPT policy, but the INPUT chain doesn’t. So you may need to add the following so that squid can accept connections: Code:
iptables -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT |
Osor,
Thank you. I have entered the iptables -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT line and I have noticed that when I stop Squid, there is no Internet browsing, which confirms that Squid is working. I now want to show you the active firewall rules, I am just looking for the command. Frank |
Osor,
Thank you. I have entered the iptables -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT line and I have noticed that when I stop Squid, there is no Internet browsing, which confirms that Squid is working. I now want to show you the active firewall rules, I am just looking for the command. Frank |
Here it is...
> iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535 ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:auth ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp multiport dports smtp,submission ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp ACCEPT tcp -- anywhere anywhere tcp multiport dports pop3,pop3s ACCEPT tcp -- anywhere anywhere tcp multiport dports imap2,imap3,imaps ACCEPT tcp -- anywhere anywhere tcp dpts:webmin:10010 ACCEPT tcp -- anywhere anywhere tcp dpt:20000 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination |
Dear All,
I've just discovered that the Linux Firewall was actually not doing anything on this server. I disabled it to see whether no routing will take place, and even uninstalled zebra, but lo and behold! The server was still routing traffic and the clients have Internet connectivity. I also removed squid, but still the server is working. Now I'm confused, will I ever be able to use Squid? Find below the current IPtable config... > iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination |
Osor,
I have found out what the problem has been. It looks like using the IPTABLES command is what I am supposed to do, as opposed to using the Linux Firewall from Webmin. I disabled the Linux Firewall and started from scratch to rebuild the firewall rules using the IPTABLES command from the commandline. See below the fact that these two methods of setting up the firewall are slightly different, as reflected by the message I get when I go to the Linux Firewall from webmin, after entering some IPTABLES commands... "Linux Firewall Rules file /etc/iptables.up.rules Webmin has detected 1 IPtables firewall rules currently in use, which are not recorded in the save file /etc/iptables.up.rules. These rules were probably setup from a script, which this module does not know how to read and edit. If you want to use this module to manage your IPtables firewall, click the button below to convert the existing rules to a save file, and then disable your existing firewall script." So when I tried your suggested commands above, Squid started working again. However, this command still enables NAT and starts sharing 1 IP address... iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 Is there any other way you can advise to try and enable Squid, without enabling IP masquerading? |
Quote:
Quote:
Quote:
If you have real masquerading going on (in addition to a correctly working squid setup), it means that there are other rules at work. To find all the rules (not just in the filter table) in a convenient format do this:
|
Osor,
I think it is working fine now, thanks to your explanation that to port-redirect to squid, it will do NATing just for tcp traffic. Regards, Frank |
All times are GMT -5. The time now is 04:40 PM. |