Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
10-26-2007, 06:36 AM
|
#1
|
Member
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350
Rep:
|
IPTABLES for squid (Transparent proxy)
i have a linux machine which has internet failover + load balance along with squid now the client machine have 2 options to access internet either directly (w/o squid) and indirectly (with squid). When using indirectly i.e with squid the client machine needs to configure there browsers to access squid, i know that i can automate this task with iptables but I WANT TO ONLY ALLOW FEW IPS TO PASS THROUGH SQUID AND THE REST SHOULD HAVE DIRECT INTERNET CONNECTION. Can this be done using iptables?
|
|
|
10-26-2007, 08:26 AM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Sure, just specify the IPs you want the rule to apply to. Example:
Code:
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-m iprange --src-range 192.168.1.112-192.168.1.156 \
-j REDIRECT --to-ports 3128
In this example, only the IPs in the 192.168.1.112-192.168.1.156 range would be transparently proxied.
|
|
|
10-26-2007, 08:39 AM
|
#3
|
Member
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350
Original Poster
Rep:
|
Thank you very much will try it
|
|
|
10-26-2007, 08:41 AM
|
#4
|
Member
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350
Original Poster
Rep:
|
okay 1 question i have 3 NICs(say eth0 eth1 eth2) in my system 2 of them (i.e eth0 eth1)have direct ISP access and on third NIC(i.e eth2) is used by my internal lan to access internet also squid is configured on this 3 NIC so i have change that eth1 to eth2 ?
|
|
|
10-26-2007, 10:55 AM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Yeah, the interface you'd specify in this rule would be the LAN interface where Squid is listening.
|
|
|
10-26-2007, 11:59 AM
|
#6
|
Member
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350
Original Poster
Rep:
|
k Thank you
|
|
|
10-26-2007, 01:52 PM
|
#7
|
Member
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350
Original Poster
Rep:
|
That worked very fine thanks again
|
|
|
10-29-2007, 09:09 AM
|
#8
|
Member
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350
Original Poster
Rep:
|
If i want to use some ips and some ranges how do i issue the command? for example i want to only pass these ips through squid 192.168.1.55 192.168.1.57 192.168.1.59 and the range 192.168.1.60-192.168.10.70 and another range 192.168.1.110-192.168.1.115 and give the rest ips a direct access to internet.
would the commands be
for range of ip
Quote:
iptables -t nat -A PREROUTING -p TCP -i eth1 \
-m iprange --src-range 192.168.1.60-192.168.1.70 192.168.1.110-192.168.1.115 \
-j REDIRECT --to-ports 3128
|
for individual ips
Quote:
iptables -t nat -A PREROUTING -p TCP -i eth1 \
-s 192.168.1.55 192.168.1.57 192.168.1.59 \
-j REDIRECT --to-ports 3128
|
is it correct?
|
|
|
10-29-2007, 09:16 AM
|
#9
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by kool_kid
If i want to use some ips and some ranges how do i issue the command? for example i want to only pass these ips through squid 192.168.1.55 192.168.1.57 192.168.1.59 and the range 192.168.1.60-192.168.10.70 and another range 192.168.1.110-192.168.1.115 and give the rest ips a direct access to internet.
|
I would do it like this:
Code:
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-m iprange --src-range 192.168.1.60-192.168.10.70 \
-j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-m iprange --src-range 192.168.1.110-192.168.1.115 \
-j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-s 192.168.1.55 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-s 192.168.1.57 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-s 192.168.1.59 -j REDIRECT --to-ports 3128
Last edited by win32sux; 10-29-2007 at 09:18 AM.
|
|
|
10-29-2007, 09:18 AM
|
#10
|
Member
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350
Original Poster
Rep:
|
okay thanks i wil try it out the same way as u did 
|
|
|
10-29-2007, 09:19 AM
|
#11
|
Member
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350
Original Poster
Rep:
|
If i dont mention that dport 80 will it redirect all the ports to my linux machine ?
|
|
|
10-29-2007, 09:54 AM
|
#12
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by kool_kid
If i dont mention that dport 80 will it redirect all the ports to my linux machine ?
|
Yes (TCP ports).
|
|
|
10-29-2007, 10:01 AM
|
#13
|
Member
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350
Original Poster
Rep:
|
so if i also want to redirect the udp ports what should be the command?
|
|
|
10-29-2007, 10:59 AM
|
#14
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by kool_kid
so if i also want to redirect the udp ports what should be the command?
|
You could eliminate the "-p TCP" match - that would catch all protocols (you'll need to have removed the --dport match for that to work). Or you could just add a set of almost-identical rules with the only difference being that they use "-p UDP" instead. Keep in mind that a great deal of non-HTTP traffic won't be able to be transparently proxied by Squid, so sending all packets to REDIRECT is just wishful thinking. If your goal is to get a tight grip on all the outgoing connections from these IPs, you need to step in with your firewall rules.
Last edited by win32sux; 10-29-2007 at 11:07 AM.
|
|
|
10-29-2007, 11:45 AM
|
#15
|
Member
Registered: Sep 2004
Location: Dubai, UAE
Distribution: RHL
Posts: 350
Original Poster
Rep:
|
okay i got it thank you very much for all your help
|
|
|
All times are GMT -5. The time now is 08:13 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|