I have setup http.conf file with one live ip and one private ( Lan ) ip . I am also able to browse the Http server through both ip .
Problem is that , when trying to browse the Live ip from remote . The default 80 port is not connecting and error showing connection refused . [ ...I think ISP blocked the default port ]. When I am putting different free upper port number . It works . But I have to mention like http://<Live IP>:<Free port> .

Please help . I dont have reverse proxy . So how I can nating , if the Http server is connected directly with intrenet or if a firewall in between .

With your NAT, you are forwarding a port to port 80 on your webserver, right? Well you can just use any source port you want on the NAT (8080 or whatever) and still forward it to port 80 on your webserver. No magic required.

I hope this helps, maybe you can clarify the setup you are trying to get.

- Arch

I have already been set below rules for internal squid :-
-A PREROUTING -i <wan-IF> -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o <wan-IF> -j MASQUERADE

Now I have found following link related the port 80 problem .
https://www.linuxquestions.org/quest...3/#post1230399
......................Please help me how to nat in the case , so that it will not harm internal proxy .

As per the post you linked, you're close, but you need to switch your dport and to-ports. The dport is the destination port coming into your router, so that should be 3128 and the to-port is the target port on your server, port 80.

- Arch

Ah, wait, sorry, I misread your posts...

So you've got:

Some web user > Internet > ISP > router > web server

The ISP is blocking port 80? In that case, there is nothing you can do to allow the web user to access your web server on port 80. The best you can do is find some sort of web redirect service who will take requests at their site and then redirect the user to http://<Live IP>:<Free port>.

You may be able to get your DNS host to provide web redirects or possibly find a web host that lets you create a web page which redirects users.

Is this the problem?

- Arch

But whether I put any page which will redirect.............in the case outside users need to browse like http://<Live IP>:<Free port> . It would not be good .

What I m thinking ; any source (internet user) requesting for port 80 [i.e. my web server], will nat / redirect to my internal mentioning free port number .
But I m not getting a good iptables rule . Please help me .

As I seen your post I have some further questions
1. Are you running proxy and web server on your system?
2. What do you mean by live ip?
3. Is this global static ip?
If you have own static global ip address,I assure ISP will open all ports
4. What kind of internet connection you have(broadband, leaseline, etc)?
The internet connection that you are using is broadband connection, your broadband router will have feature call virtual host (most of the broandband routers having this feature) by using this facility you can NAT your external and internal ports

To redirect port for incoming traffic,your mentioned iptable rules are ok
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
Normally use -j DNAT, but -j REDIRECT seems not much difference

1> Yes, proxy and web server running on same system .
2> Its global static ip .
3> Its broadband connection .

As I mentioned that my squid related rules are as follows :-
-A PREROUTING -i <wan-IF> -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o <wan-IF> -j MASQUERADE

If I use " iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 " .....is there would be any problem to my proxy .
And shouldn't I mention the <ethernet interface> in the rule .

I m clearing the fact ....

eth0 -> Lan
eth1 -> Broadband with global static ip

As I mentioned that my squid related rules are as follows :-
-A PREROUTING -i <wan-IF> -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o <wan-IF> -j MASQUERADE

now , my Lan users are able to browse the Apache server through Lan ip / global static ip . They are able to browse through the global static ip and through port 80, because I think their getway is proxy getway ;; and because of the same broadband connection , they have not any problem regarding the port (because they are situated on the LAN) .

But problem with other than Lan connection . I have tested with other ISP . Here connection is refusing to connect with the 80 port . Here need a different free port to browse .

How to NAT for all incoming connection requested for the 80 port on my Apache server with different port mentioned in httpd.conf file . So that , outsiders can browse without mentioning any port number .

If you are running transparent poxy and access internet without client side(web browser) proxy configuration, you need to add this port redirect iptable rule (80--->3128 or proxy listening port).
For normal porxy setup no need port redirect on your linux iptable but you will have to NAT your global ip with your local ip at your router

That means , I have to modify DSL modem configuration . No other way to use . Because if I m not wrong , the connection is as follows :->
Internet user -->>> DSL (medem-router) broadband connection -->>> global static ip (eth1) -->>> LINUX- httpd.conf file .
Here (in httpd.conf), if port is 80 , then connection failed or if other port then connection is success .

Is there any rule that cant be applied on Linux . I just want to know ..... otherwise I have to think about DSL modem-router NAT feature .
Please help .

I have also used blow mentioning rules , but FAIL

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port 80 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port $UNPRIVPORTS --destination-port 80 -j ACCEPT

.......................means need new rule .

Any user on the Internet requesting port 80 on your live IP is getting blocked *before the packet gets to you* by your ISP, right? So a web user going to your live IP on port 80 is *never* going to reach you and that is an issue with your ISP. Get your ISP to fix this or else ditch them.

Your only other option is to direct users to some other online site which either provides a proxy or redirects them to your live IP and some non-standard port (8080 or whatever).

A rule on your firewall cannot help you with port 80 traffic because your ISP has already blocked them.


You also redirect internal / LAN users to your squid proxy before going to Internet sites and that is working, correct?

- Arch

Thank you for nice response . I got your point . Now I m thinking to make NAT entry in DSL modem .
But if this will fail [ another option is to put any non-standard port (8080 or whatever) ], then should I change my transparent proxy redirection . But if I remove the transparent proxy rules . Then user will be able to browse all the sites . Because they will remove entry from their local web-browser setting .
Any suggestion over it......most welcome .

In DSL Modem, there you can block outbound traffic for port 80 to your LAN network address and then allow outbound port 80 traffic only for server ip address(you mentioned early both proxy and web server are running in one server). so the way is easy to forcefully ask your LAN clients to use proxy because they dont have direct internet access, In your proxy you can block unwanted URLs