LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-04-2005, 08:26 AM   #1
ali_dd15
LQ Newbie
 
Registered: Oct 2005
Posts: 12

Rep: Reputation: 0
routing by iptables


hi
i have a problem in squid,indeed i have configured it correctly and i can use it as a proxy but as soon as i redirect to port 3128 ,it gives wrong answers to customers .i have a AS 5300 cisco i want route to cache server and then to router 1841 .i have two NIC .one for invalid ip and the other for valid.
i should mention that i use fedora core3 .i used the following command in my iptables file
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
and proxy on
host virtual
header on
is there anyone who can tell me what is my mistake?
thank you
 
Old 10-06-2005, 01:32 PM   #2
thobck
LQ Newbie
 
Registered: Oct 2005
Location: Brazil
Posts: 2

Rep: Reputation: 0
Hi,

You've mention that you have a problem in the squid. Which problem is that?

Which specific error you've gotten ("...it gives wrong answers to customers...")?

Could you check if there are packages having match in your iptables rule? (iptables -t nat -A PREROUTING -L -n -v)


regards,

Thomas
 
Old 10-10-2005, 06:52 AM   #3
ali_dd15
LQ Newbie
 
Registered: Oct 2005
Posts: 12

Original Poster
Rep: Reputation: 0
thanks for ur care
indeed,my cache server bring wrong pages for customers.for example u people asking for gmail and they see google ,or asking for msn and recieve a white page.of course it work correctly when i use access-list in my AS5300 but i do not want do cache in this way.i want all data packages go through cache and i want cache server act as a nat server too.but with access list it is impossible



regards
 
Old 10-10-2005, 02:27 PM   #4
newpenguin
Member
 
Registered: Sep 2002
Location: lahore pakistan
Distribution: slackware,redhat, FreeBSD,openbsd
Posts: 219

Rep: Reputation: 30
kindly dscribe in some detail.

users get error on every request or on some specific websites?

what u do with access-lists on AS5300?

whats the gateway of as5300,linux? and how ur router sends traffic back to clients, via linux box or via as5300 ???
 
Old 10-11-2005, 05:11 AM   #5
ali_dd15
LQ Newbie
 
Registered: Oct 2005
Posts: 12

Original Poster
Rep: Reputation: 0
hi
As i mentioned ,i want give ip route command to AS5300 to send all packages to the eth1 (invalid ip)to pass all data to the eth0(valid ip) and meanwhile redirect port 80 to 3128 and from eth0 to the gateway which is my router.
OF course when i ip route eth1 and i nat in AS5300,and use this command
iptables -t nat -A POSTROUTING -o eth1 -j SNAT to <valid ip>
all data packages go through machine without problem but as soon as i redirect it
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
cache box works but most of sites like msn ,gmail,blackfa,etc... do not work

Last edited by ali_dd15; 10-11-2005 at 07:08 AM.
 
Old 10-11-2005, 02:36 PM   #6
newpenguin
Member
 
Registered: Sep 2002
Location: lahore pakistan
Distribution: slackware,redhat, FreeBSD,openbsd
Posts: 219

Rep: Reputation: 30
There is still a confusion in your reply. your are saying traffic entering in eth1 and going out of eth0 and you are posting commands opposite to it.

If the architecture is like this
As5300--->Eth0(Linux)Eth1---> Router

Eth0 and As5300 ethernet must use a private ip (as in your case you want )
Eth1 must have a live ip.
and commands must be like this

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
why not the ip of eth1 interface.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

normally if problem comes to sites like gmail,msn then its means there is ssl problem.it means only your port 80 traffic is getting nat using squid and others ports traffic is not getting nat because of your wrong command OR
may be you are using another ip on SNAT rather than the live ip of linux box.

thanks
 
Old 10-12-2005, 05:32 AM   #7
ali_dd15
LQ Newbie
 
Registered: Oct 2005
Posts: 12

Original Poster
Rep: Reputation: 0
internet ----> tellabs modem ---->router 1841--->cache--->AS5300-->HDSL modem--->dial up users


Cache server
dial up customers (invalid ip)--> AS5300-->eth1(invalid ip) (cache box) eth0(valid ip)-->router 1841

my router and as 5300 have valid ip .so i hope that i have made the topology clear.i want give ip route to my as5300 to go through cache and there all port 80 redirect to 3128.in addition i want my cache server nat all customers (the work that now my as 5300 doing)

thanks for ur care

Last edited by ali_dd15; 10-12-2005 at 05:40 AM.
 
Old 10-12-2005, 06:15 AM   #8
newpenguin
Member
 
Registered: Sep 2002
Location: lahore pakistan
Distribution: slackware,redhat, FreeBSD,openbsd
Posts: 219

Rep: Reputation: 30
do a simple thing.
give your AS5300 ethernet a invalid ip, stop nat on it.
for example

AS5300 ip = 192.168.0.1/24
Linux Eth1 = 192.168.0.2/24
Linux Eth0= any live ip
Router = any live ip

now on As5300
ip route 0.0.0.0 0.0.0.0 192.168.0.2

on linux
enable forwarding
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
default gateway = Router
router add default gw "ip of router"
also route your all invalid or valid ips of dialup users with next hop to 192.168.0.1 like if your dialup ip pool is 172.16.0.0/24

route add -net 172.16.0.0 netmask 255.255.255.0 gw 192.168.0.1


on router , u need just a default route.remove previous added routes.
all traffic will be natted by linux box, router will route back reply to linux box automatically. as they are on same subnet.


thanks

Last edited by newpenguin; 10-12-2005 at 06:22 AM.
 
Old 10-13-2005, 05:33 AM   #9
ali_dd15
LQ Newbie
 
Registered: Oct 2005
Posts: 12

Original Poster
Rep: Reputation: 0
i had tried ip route as u said but in this part i did not understand what u mean if it is possible explain it


" lso route your all invalid or valid ips of dialup users with next hop to 192.168.0.1 like if your dialup ip pool is 172.16.0.0/24

route add -net 172.16.0.0 netmask 255.255.255.0 gw 192.168.0.1"

if u mean using " ip policy route cache" " set ip next-hop (valid cache ip)
i have tested it

thanks
 
Old 10-13-2005, 05:34 AM   #10
ali_dd15
LQ Newbie
 
Registered: Oct 2005
Posts: 12

Original Poster
Rep: Reputation: 0
i had tried ip route as u said but in this part i did not understand what u mean if it is possible explain it


" lso route your all invalid or valid ips of dialup users with next hop to 192.168.0.1 like if your dialup ip pool is 172.16.0.0/24

route add -net 172.16.0.0 netmask 255.255.255.0 gw 192.168.0.1"

if u mean using " ip policy route cache" " set ip next-hop (valid cache ip)
i have tested it
if it is possible explain these two lines.

thanks
 
Old 10-13-2005, 11:19 AM   #11
llbbl
LQ Newbie
 
Registered: Oct 2005
Distribution: RHEL
Posts: 19

Rep: Reputation: 0
If you want to route incoming traffic from one address to a specific port do you need two rules?

I am trying to do something similar. Should I post a new topic or append my question to this one? Ok since no one responded I will just append it.

***
I want to take all incoming TCP traffic from a specific IP address and route it to a different port. The purpose is to try and open a mysql connection across port 80. I looked up iptables and was wondering if what I have will work.

# iptables -A INPUT -p tcp -s <sourceIP> -sport 80 -dport 3306

based on information in this howto
http://www.linuxguruz.com/iptables/h...s-HOWTO-6.html


Last edited by llbbl; 10-13-2005 at 03:08 PM.
 
Old 10-13-2005, 03:00 PM   #12
newpenguin
Member
 
Registered: Sep 2002
Location: lahore pakistan
Distribution: slackware,redhat, FreeBSD,openbsd
Posts: 219

Rep: Reputation: 30
Quote:
Originally posted by ali_dd15
i had tried ip route as u said but in this part i did not understand what u mean if it is possible explain it


" lso route your all invalid or valid ips of dialup users with next hop to 192.168.0.1 like if your dialup ip pool is 172.16.0.0/24

route add -net 172.16.0.0 netmask 255.255.255.0 gw 192.168.0.1"

if u mean using " ip policy route cache" " set ip next-hop (valid cache ip)
i have tested it
if it is possible explain these two lines.

thanks
its simple how your linux machine will know where your dialup ip pools are located.
if you dont add their route in linux machine and tell it that these are located at As5300,
then reply will be forwarded to default router.your linux machine is acting just like a router.



ip policy route cache is not needed in your scenerio.as u want to pass all traffic from linux machine and nat it.
 
Old 10-13-2005, 03:02 PM   #13
newpenguin
Member
 
Registered: Sep 2002
Location: lahore pakistan
Distribution: slackware,redhat, FreeBSD,openbsd
Posts: 219

Rep: Reputation: 30
Quote:
Originally posted by llbbl
If you want to route incoming traffic from one address to a specific port do you need two rules?

I am trying to do something similar. Should I post a new topic or append my question to this one? Ok since no one responded I will just append it.

***
I want to take all incoming TCP traffic from a specific IP address and route it to a different port. The purpose is to try and open a mysql connection across port 80. I looked up iptables and was wondering if what I have will work.

# iptables -A INPUT -p tcp -s <sourceIP> -sport 80 -dport 3306

based on information in this howto
http://www.linuxguruz.com/iptables/h...s-HOWTO-6.html
nope u need

iptables -t nat -A PREROUTING -p tcp -s srcip --dport 80 -j REDIRECT --to-port 3306

and its not routing its nat/redirection
 
Old 10-13-2005, 03:16 PM   #14
llbbl
LQ Newbie
 
Registered: Oct 2005
Distribution: RHEL
Posts: 19

Rep: Reputation: 0
Thanks I will try that. I was looking in the tutorial and I found a good example of it here.

http://iptables-tutorial.frozentux.n...tml#DNATTARGET
 
Old 10-14-2005, 05:38 AM   #15
ali_dd15
LQ Newbie
 
Registered: Oct 2005
Posts: 12

Original Poster
Rep: Reputation: 0
In /etc/sysctl.conf i have enabled
net.ipv4.ip forward=1
i add the two lines u mentined in iptables file
but i do not know any thing about ip pools and routing invalid ips of users with next hop
to 192.168.0.1?
if it is possible explain how i can route invalid ips of users with next hop?
i should mention that " ip local pool default 192.168.1.100 192.168.1.200" in my AS5300
and int fast ethernet 0
ip address 192.168.1.11 255.255.255.0 secondary
ip address (valid ip) (valid gw)

in linux box (eth1 )my ip is 192.168.1.3

AS i add that in terminal this appear
[root@localhost ~]# route add -net 192.168.1.100 255.255.255.0 secondary gw 192.168.1.11
Usage: inet_route [-vF] del {-host|-net} Target[/prefix] [gw Gw] [metric M] [[dev] If]
inet_route [-vF] add {-host|-net} Target[/prefix] [gw Gw] [metric M]
[netmask N] [mss Mss] [window W] [irtt I]
[mod] [dyn] [reinstate] [[dev] If]
inet_route [-vF] add {-host|-net} Target[/prefix] [metric M] reject
inet_route [-FC] flush NOT supported






thanks for your attention

Last edited by ali_dd15; 10-15-2005 at 07:48 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables routing CJ_Grobler Linux - Security 1 06-14-2005 02:13 AM
iptables and routing palhope Linux - Networking 2 07-10-2003 12:01 PM
iptables / routing hakcenter Linux - Networking 13 05-01-2003 04:16 AM
More Help routing with iptables LAR12345 Linux - Networking 2 02-02-2003 10:28 AM
routing with iptables Han_Solo Linux - Security 0 10-28-2001 06:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration