iptables forward to new chain

packets · 06-02-2010, 03:53 AM

I've created a iptables scripts wherein it will act as a gateway and redirect all port 80 to squid and block other ports. However, you would notice that 192.168.1.26 is exempted on squid and wasn't include on the port blocking. 192.168.1.26 can surf the net and can do p2p,torrent,etc.

Could anyone advise how could I make 192.168.1.30 access the Internet by bypassing port 80 redirection and can only connect to 110 and 143. Connecting to other ports should be block. I tried to create a new chain and feed 192.168.1.30 there but it seems it was block on all ports. I cannot query pop3 and imap but I could browse the Internet since I'm bypassing port 80 redirection

Here is my additional parameters that didn't work:

Quote:

iptables -N USERS
iptables -A USERS -p tcp --dport ! 110 -j REJECT
iptables -A USERS -p tcp --dport ! 143 -j REJECT
iptables -A FORWARD -p TCP -i $LAN_IN -s 192.168.1.30 --dport ! 80 -j USERS
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -s 192.168.1.30 --dport 80 -j ACCEPT

Here is my script without those commands above

Quote:

#!/bin/sh
SQUID_SERVER="192.168.0.21"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
UNIVERSE="0.0.0.0/0"
EXT_IPADDR="1.2.3.4"
UNPRIVPORTS="1024:65535"

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables -A FORWARD -p TCP -i $LAN_IN --dport ! 80 -s 192.168.1.26 -j ACCEPT
iptables -A FORWARD -p TCP -i $LAN_IN --dport ! 80 -s 0.0.0.0/0 -j REJECT
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -s 192.168.1.26 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -A INPUT -j DROP

win32sux · 06-02-2010, 06:45 AM

Quote:

Originally Posted by packets

Could anyone advise how could I make 192.168.1.30 access the Internet by bypassing port 80 redirection and can only connect to 110 and 143. Connecting to other ports should be block.

No need to build a chain. Example:

Code:

iptables -A FORWARD -p TCP -i $LAN_IN -o $INTERNET \
-s 192.168.1.30 -m multiport --dports ! 143,110,80 -j REJECT

iptables -t nat -A PREROUTING -i $LAN_IN -s 192.168.1.30 -j ACCEPT

Make sure this PREROUTING rule goes before your REDIRECT one.

As a side note, don't you think all this inverted matching just makes stuff more confusing than it should be? BTW, you should look into setting your FORWARD policy to DROP, and only allowing packets in states RELATED and ESTABLISHED from the Internet side, as it doesn't seem like you're running any services there. You could then remove this inverted match in my example and change the target to ACCEPT.