LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-13-2006, 02:30 PM   #1
pthegreat
LQ Newbie
 
Registered: Jan 2006
Location: Miami
Distribution: RH ES4
Posts: 12

Rep: Reputation: 0
iptables port80 forward and snat


I have a RH ES4 box with 3 eth.ports and safesquid installed.
Safesquid listens on port 8080.
Eth0 = 1.1.1.1 (Internet connection)
Eth1 = 2.2.2.2
Eth2 = 192.168.1.1 (needs to be sNATted)

How do I setup iptables to:

1- Snat traffic coming in on eth2
2- port forward http traffic coming in on eth1 to port 8080 (so it will hit the safesquid running on the box)

Thanks for any help.
Peter.
 
Old 01-14-2006, 09:33 AM   #2
~=gr3p=~
Member
 
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227

Rep: Reputation: 30
I think this will help you learn

http://www.linuxhomenetworking.com/w...Using_iptables
 
Old 01-14-2006, 09:51 AM   #3
micxz
Senior Member
 
Registered: Sep 2002
Location: CA
Distribution: openSuSE, Cent OS, Slackware
Posts: 1,131

Rep: Reputation: 75
How about something like:

$IPTABLES -A INPUT -i eth1 -p tcp --sport 80 --dport 8080 -j ACCEPT


just to get you started I can't tell you exactly for your setup.

snat?

Last edited by micxz; 01-14-2006 at 09:52 AM.
 
Old 01-16-2006, 04:30 PM   #4
pthegreat
LQ Newbie
 
Registered: Jan 2006
Location: Miami
Distribution: RH ES4
Posts: 12

Original Poster
Rep: Reputation: 0
I don't think this will work.
$IPTABLES -A INPUT -i eth1 -p tcp --sport 80 --dport 8080 -j ACCEPT
I'm just starting with IPtables, and correct me if i'm wrong, but I think what this line does is changing source port 80 to destination port 8080. What I need to do is redirect destination port 80 to destination port 8080 on the local box, which is a proxy.

I guess I didn't explain myself enough in my initial email.; my eth0 is connected to the internet with a static public IP, 1.1.1.1 . Eth1 connects to a group of users and has another static public IP (different subnet) 2.2.2.2, no NAT is required. for these users the proxy needs to work in transparent mode. I found an IPtables entry for that purpose;
I quote:
"The REDIRECT target is used to redirect packets and streams to the machine itself. This means that we could for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid, on our own host. Locally generated packets are mapped to the 127.0.0.1 address. In other words, this rewrites the destination address to our own host for packets that are forwarded, or something alike. The REDIRECT target is extremely good to use when we want, for example, transparent proxying, where the LAN hosts do not know about the proxy at all.

Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. It is also valid within user-defined chains that are only called from those chains, and nowhere else. The REDIRECT target takes only one option, as described below.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080"

My problem with this is that is seems to use NAT (or am I wrong?). And I don't want this traffic to be NATted.

2nd thing I want is that users connected on eth2 will be sNATted to eth0. eth0 has a private static IP 192.168.1.1/24. these users will use the proxy by using the proxy settings in their web browser to use port 8080. So I don't need to use the transparent setting as described earlier.

Is this possible?
 
Old 01-16-2006, 04:40 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
sounds like you want something like this:
Code:
#!/bin/sh

IPT="/sbin/iptables"

INET_IFACE="eth0"
INET_IP="1.1.1.1"

LAN1_IFACE="eth1"

LAN2_IFACE="eth2"

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/ip_forward

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p TCP -i $LAN1_IFACE --dport 8080 \
-m state --state NEW -j ACCEPT

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#$IPT -A FORWARD -i $LAN1_IFACE -o $INET_IFACE \
#-m state --state NEW -j ACCEPT

$IPT -A FORWARD -i $LAN2_IFACE -o $INET_IFACE \
-m state --state NEW -j ACCEPT

$IPT -t nat -A PREROUTING -p TCP -i $LAN1_IFACE \
--dport 80 -j REDIRECT --to-ports 8080

$IPT -t nat -A POSTROUTING -o $INET_IFACE \
-j SNAT --to-source $INET_IP

echo "1" > /proc/sys/net/ipv4/ip_forward
of course this is just my so you'd need to edit and tighten it to suit your needs...

Last edited by win32sux; 01-16-2006 at 04:46 PM.
 
Old 01-16-2006, 09:03 PM   #6
micxz
Senior Member
 
Registered: Sep 2002
Location: CA
Distribution: openSuSE, Cent OS, Slackware
Posts: 1,131

Rep: Reputation: 75
er

iptables -t nat -A PREROUTING -i $INTERNAL_IFACE -p tcp --dport 80 -j REDIRECT --to-port 8080

http://www.tldp.org/HOWTO/TransparentProxy.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables port80 forward and snat pthegreat Red Hat 1 01-13-2006 03:25 PM
IPTABLES DNAT SNAT Re-Addressing jccurtis Linux - Networking 1 01-03-2006 04:41 PM
IPtables: SNAT & Aliasing kegwell Linux - Security 2 01-05-2005 08:55 PM
IPTables: DNAT, SNAT and Masquerading tarballed Linux - Security 3 12-10-2004 03:45 PM
IPTables - DNAT, SNAT, port forwarding FunkFlex Linux - Security 2 01-15-2002 07:18 PM


All times are GMT -5. The time now is 06:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration