iptables for proxy server
 

Ok been searching online and all the different pages have basically made me dizzy.

Forgive the crudeness of the drawing but this is how I am planning to set up the network:
http://img232.imageshack.us/img232/995/networkrough.jpg

So would like help on what the correct iptables rules should be to allow internet through the lan on eth0 so it can connect to the proxy\dansguardian\etc and send it on to the router via eth1.


or am I making a mistake on how I am setting this up?

hi,

no, the scenario is good. you just need an iptables redirection on LAN interface to intercept the browser request to enter the squidguard port.

assuming your squidguard on port 8080 and, eth0 as LAN intf (as root):
#/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

unless you know how to do an interface bridging - i think the most easiest method is to do a double NAT.

so - create another NAT on eth1 :
#/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE.

HTH.

Are you planning to setup your proxy as a transparent proxy? then "rossonieri#1" suggestion is ok, if not i think you dont need this prerouting rule

Thanks for the replys, I will have to try this later when got some other things sorted.


Altough it all seems a bit to simple. I can mend PCs fine.. but networking is an area I'm not very knowledgeable at. Is there anything I am forgetting or don't know that I need to do to get this set up to work? Or is all I need the two iptable rules on the proxy server?

You *need* very little on the proxy server. If you wish, you can add filtering rules. I have one small quibble with rossonieri#1's post. When your IP addresses are stable (as your's appear to be -- contrasted with, for example, dialup) I believe it would be preferred to use SNAT instead of MASQUERADE. Although MASQUERADE will work, albeit less optimally. (See iptables' man page or the NAT-HOWTO.)