Outgoing Packet Redirection Using iptables (FC6)

neothephoenix · 04-04-2008, 10:35 AM

Hi LQ,

I need to redirect all tcp packets leaving my server at port 80 to another server at its port 8080. I need to use iptables for that but just wanted to confirm before giving the command:

# iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 80 -j REDIRECT -d 10.10.1.45 --to-ports 8080
Just wanted to know if I'm giving the correct format. If not, can anyone spare the time to provide me with one.

Thanks in advance

datopdog · 04-04-2008, 02:13 PM

Thats incorrect the REDIRECT target only works in OUTPUT and PREROUTING chains.

You cannot redirect in POSTROUTING because the kernel has already taken the routing decision on where it is going to send the packet.

neothephoenix · 04-04-2008, 03:04 PM

Hi,
Let me be more specific.
I need to setup a squid proxy on FC6. My lan is 10.2.0.0/255.255.0.0
the open internet or IWSS machine is 10.75.1.5
Incoming http requests at port 8080, after getting authenticated via squid must go to the port 8080 of IWSS for internet access to happen. My proxy will be a non-transparent one, and all clients will send http requests to squid at port 8080 only.
Now, i need to modify the outgoing packets such that packets due to leave my proxy at port 80 hits IWSS at port 8080.
In other words, IWSS is like a proxy server to my squid proxy.

Any suggestions/help is hugely appreciated.

datopdog · 04-05-2008, 05:54 AM

Why dont you chain the squid server to the IWSS instead using ICP

neothephoenix · 04-05-2008, 08:33 AM

..... I don't quite follow you, datopdog.
Chain To iwss via icp?

Deleriux · 04-05-2008, 04:20 PM

What you probably want to do is this:

Code:

iptables -t nat -A PREROUTING -i interface_name_here -p tcp --dport 80 -j DNAT --to-destination 10.10.1.45:8080

neothephoenix · 04-11-2008, 10:24 AM

Hi LQ,
My approach was totally wrong, it seems squid server cannot be configure as a client to another proxy server and then cater to clients. So I first enabled a direct internet connection to the squid proxy itself and then I did a simple squid configuration, and it worked!
Here's my configuration:
eth0 10.75.1.80/255.255.0.0 gw 10.75.1.11 external Internet ip
eth1 10.2.1.40/255.255.0.0 gw 10.2.50.1 internal LAN ip
10.75.1.11 internet load balancer switch

route del -net default 10.2.50.1
route add -net default 10.75.1.11

enabled ip forwarding in sysctl.conf

/etc/squid/squid.conf

http_port 8080
hosts_file /etc/hosts
acl userlan src 10.2.0.0/255.255.0.0
http_access allow userlan

Now, my problem is squid is a bit slow to access. I'll search the LQ repo before starting a new thread.

Thanks all of you.

LQ Rocks!!!

datopdog · 04-11-2008, 10:53 AM

ICP is the internet cache protocol used by caches to build parent child relationships between caches meaning you could setup your cache as a child of the other IWSS cache.

neothephoenix · 04-25-2008, 07:20 AM

Quote:

Originally Posted by neothephoenix

Hi LQ,
My approach was totally wrong, it seems squid server cannot be configure as a client to another proxy server and then cater to clients. So I first enabled a direct internet connection to the squid proxy itself and then I did a simple squid configuration, and it worked!

Squid can be configured to direct all http requests to another proxy. I had to redirect all client http requests to an iwss proxy. Here's the relevant lines in my squid.conf which eventually did that:

http_port 8080
cache_peer iwss1 parent 8080 0
never_direct allow all

After that the iwss server must have port 8080 opened on its side and consequently, after a service squid restart it was working.