Ok, my goal is the following:
Have some PC's connect directly to the DSL router,
Have other PC's connect wirelessly through a proxy server on the LinuxBox that is running internet content filtering.
My layout looks like this:
I have a DSL connection to the internet. The DSL router assigns IP addresses dynamically.
There are three PC's that connect to that router: LinuxBox (wired through ETH0)
XP1 (wired)
XP2 (wireless)
I have a second Ethernet card (ETH1) in the LinuxBox that has a Linksys wired/wireless router.
I have two other machines (Mac and Wii) that have wireless capability but I am not allowing them to connect through the DSL connection because they lack filtering. I prevent their connections by their MAC addresses (and all other mac addresses) at the DLS router.
My proposed network looks like this:
Code:
Internet
|
|
DSL Router
|
|
--------------------------------------
| | |
| | (wired through ETH0)
XP1 (wired) XP2 (Wireless) LinuxBox
(TinyProxy and DansGuardian)
|
|
Eth1 card wired to Linksys router
|
|
---------------------------------
| |
Nintendo Wii (wireless) Macintosh (wireless)
Now on to the LinuxBox configuration...
My rc.inet1.config looks like this:
Quote:
IPADDR[0]=""
NETMASK[0]=""
USE_DHCP[0]="yes"
DHCP_HOSTNAME[0]=""
IPADDR[1]="192.168.1.150"
NETMASK[1]="255.255.255.0"
USE_DHCP[1]="no"
DHCP_HOSTNAME[1]=""
|
My ifconfig results look like this (with loopback removed):
Code:
eth0 Link encap:Ethernet HWaddr <removed>:14
inet addr:192.168.1.151 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6018 errors:0 dropped:0 overruns:1 frame:0
TX packets:1783 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:770762 (752.6 KiB) TX bytes:193021 (188.4 KiB)
Interrupt:9 Base address:0xdc00
eth1 Link encap:Ethernet HWaddr <removed>:50
inet addr:192.168.1.150 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:418 errors:0 dropped:0 overruns:0 frame:0
TX packets:389 errors:8 dropped:0 overruns:0 carrier:8
collisions:0 txqueuelen:1000
RX bytes:246620 (240.8 KiB) TX bytes:67957 (66.3 KiB)
Interrupt:3 Base address:0xd800
And my iptables look like this:
Code:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 OWNER UID match 99
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 OWNER UID match 99
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 OWNER UID match 99
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 redir ports 8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 OWNER UID match 99
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 OWNER UID match 99
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 OWNER UID match 99
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 redir ports 8080
I suspect that I have some iptables rules to write but an not sure where to start. The iptables above are transparently redirecting any traffic (except traffic from user 99) that comes in for port 80 (http) to port 8080(DansGuardian). It's not shown here but DansGuardian connects to TinyProxy at port 3128. Also, there is a rule that keeps users from connecting directly to TinyProxy (3128) directly and redirects it to 8080 (DansGuardian).
I think that:
1) For some reason my rules are getting duplicated. I need to fix this.
2) These iptable rules are keeping me from connection to my router (IP unknown) connected to ETH1 (192.168.1.150). Do I need to add a rule to allow connection to the router?
3) I need to add some rule(s) that forwards connections received from the router (IP unknown) at ETH1 (192.168.1.150) to DansGuardian (port 8080).