Iptables help

KarlRojero · 05-03-2009, 07:26 AM

Hello and a pleasant day to all of you.

I have an internet connection so the ip of my router is 192.168.1.1 (private) i set up squid in my centos os and i assigned 192.168.1.2 ip on that PC. The proxy pc has 2 nic card and i use the ip 192.168.0.2 3128 on squid.

Question. How can i be able to pass through using the proxy IP is there an IP tables setting for that?

So that if i use another computer which has the IP of 192.168.0.3 can i directly ping yahoo.com to that PC?

Pls help me and thank you

blackhole54 · 05-03-2009, 09:16 AM

Hi,

Welcome to LQ.

If you enable IP forwarding on what I'll call your server (the box with squid) and if its routing table is set correctly, then its default behavior will be to route incoming packets (that are not addressed to itself) to the appropriate place. So if a 192.168.0.x client requests something from the Internet, the request will be forwarded to your router. If you wish to block this access (for, say http and/or https) then you will have block this with rule(s) in the (iptables') FORWARD chain. Likewise, if you wish to redirect any http and/or https requests to squid (thereby making it a transparent proxy) then you can do so in the nat table's PREROUTING chain using the REDIRECT target. Anything that you don't block (DROP or REJECT) or REDIRECT will be passed along.

The other issue you might have is making sure return packets from the Internet get back to the original 192.168.0.x machine. There are two ways of handling this. You can either tell the router to route packets destined for 192.168.0.0/24 through your server or you can SNAT the outgoing packets (from 192.168.0.x to the Internet) such that they look like (to your router) they come from your server. (When the router sends the return packets to the server, the server will automatically "do the right thing" such that the packets get back to the originator.)

If you have never used iptables before, I think it would be a good idea to get an overview of it before you start creating rules, just to gain an appreciation of what you're doing. (And making mistakes less likely!) I would suggest looking at the packet-filtering-HOWTO and the NAT-HOWTO. And, of course, the iptables' man page is always a handy reference. That said, the rules you might be interested in to do what I've said above might be similar to:

Code:

WAN_INT=<eth0 or eth1 as appropriate for access to your router>
LAN_INT=<eth0 or eth1 as appropriate for access to LAN>
LAN=192.168.0/24
WAN_IP=192.168.1.2

iptables -A FORWARD -p tcp --dport 80 -j DROP
iptables -A FORWARD -p tcp --dport 443 -j DROP
iptables -t nat -A PREROUTING  -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING  -p tcp --dport 443 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -o $LAN_INT -s $LAN -j SNAT -to-source $WAN_IP

(If you use the PREROUTING rule(s), the corresponding FORWARD chain rule(s) are irrelevant.)

I've tried to give you a quick overview to give you a general understanding. I strongly encourage to read the HOWTOs I mentioned before trying to implement. If you need more detail, feel free to post back specific questions.

KarlRojero · 05-03-2009, 07:30 PM

Yes sir thank you for your reply Ill read it asap and try to apply the rules. Ill post here my feedbacks thank you very much

KarlRojero · 05-03-2009, 08:10 PM

The reason im doing this is for them to use the proxy(squid) 192.168.0.2:3128 to access also the SSL port 25 and SSL 995 on outlook express. They can surf using my proxy but i cannot download mails coming from the SSL ports.

Am I in the correct path? Fixing IP tables for the ssl ports access as well? Thank you

blackhole54 · 05-04-2009, 03:29 AM

Quote:

Originally Posted by KarlRojero

Am I in the correct path? Fixing IP tables for the ssl ports access as well?

iptables can handle any filtering or REDIRECTING you wish. Anything that you don't block or REDIRECT should get sent to the the Internet if you have IP forwarding enabled. If the packets originating from 192.168.0.x are not getting to the Internet, double check and make sure you have IP forwarding enabled. If you are using IPv4 (sorry, I am not up to speed on IPv6 although I would think it would be similar) you can enable IP forwarding at least two different ways. The one I use is to add the following line to /etc/sysctl.conf (and make sure there isn't a line contradicting it!):

Code:

net.ipv4.ip_forward = 1

You can also (as root):

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

If you choose the second method you will need to include it in a script that gets executed at every boot.

I think you should be able to verify whether it is enabled with (as root):

Code:

sysctl -a |  grep "ipv4.*forward"

I am not sure what the lines with "mc_forward" in them are for, but on my system the other lines are set to 1 (when enabled). However when I tried this, sysctl also put out some errors that I don't understand. But the basic information seemed to be there.

If you have IP forwarding enabled and the 192.168.0.x machines still are not able to directly connect to the Internet, my guess is the return packets aren't getting routed properly. Try adding an SNAT line like I showed above.

In an case, you should be able to troubleshoot what is going on with a packet sniffer such as tcpdump or wireshark.