iptables port80 forward and snat

pthegreat · 01-13-2006, 02:30 PM

I have a RH ES4 box with 3 eth.ports and safesquid installed.
Safesquid listens on port 8080.
Eth0 = 1.1.1.1 (Internet connection)
Eth1 = 2.2.2.2
Eth2 = 192.168.1.1 (needs to be sNATted)

How do I setup iptables to:

1- Snat traffic coming in on eth2
2- port forward http traffic coming in on eth1 to port 8080 (so it will hit the safesquid running on the box)

Thanks for any help.
Peter.

~=gr3p=~ · 01-14-2006, 09:33 AM

I think this will help you learn

http://www.linuxhomenetworking.com/w...Using_iptables

micxz · 01-14-2006, 09:51 AM

How about something like:

$IPTABLES -A INPUT -i eth1 -p tcp --sport 80 --dport 8080 -j ACCEPT

just to get you started I can't tell you exactly for your setup.

snat?

pthegreat · 01-16-2006, 04:30 PM

I don't think this will work.
$IPTABLES -A INPUT -i eth1 -p tcp --sport 80 --dport 8080 -j ACCEPT
I'm just starting with IPtables, and correct me if i'm wrong, but I think what this line does is changing source port 80 to destination port 8080. What I need to do is redirect destination port 80 to destination port 8080 on the local box, which is a proxy.

I guess I didn't explain myself enough in my initial email.; my eth0 is connected to the internet with a static public IP, 1.1.1.1 . Eth1 connects to a group of users and has another static public IP (different subnet) 2.2.2.2, no NAT is required. for these users the proxy needs to work in transparent mode. I found an IPtables entry for that purpose;
I quote:
"The REDIRECT target is used to redirect packets and streams to the machine itself. This means that we could for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid, on our own host. Locally generated packets are mapped to the 127.0.0.1 address. In other words, this rewrites the destination address to our own host for packets that are forwarded, or something alike. The REDIRECT target is extremely good to use when we want, for example, transparent proxying, where the LAN hosts do not know about the proxy at all.

Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. It is also valid within user-defined chains that are only called from those chains, and nowhere else. The REDIRECT target takes only one option, as described below.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080"

My problem with this is that is seems to use NAT (or am I wrong?). And I don't want this traffic to be NATted.

2nd thing I want is that users connected on eth2 will be sNATted to eth0. eth0 has a private static IP 192.168.1.1/24. these users will use the proxy by using the proxy settings in their web browser to use port 8080. So I don't need to use the transparent setting as described earlier.

Is this possible?

win32sux · 01-16-2006, 04:40 PM

sounds like you want something like this:

Code:

#!/bin/sh

IPT="/sbin/iptables"

INET_IFACE="eth0"
INET_IP="1.1.1.1"

LAN1_IFACE="eth1"

LAN2_IFACE="eth2"

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/ip_forward

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p TCP -i $LAN1_IFACE --dport 8080 \
-m state --state NEW -j ACCEPT

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#$IPT -A FORWARD -i $LAN1_IFACE -o $INET_IFACE \
#-m state --state NEW -j ACCEPT

$IPT -A FORWARD -i $LAN2_IFACE -o $INET_IFACE \
-m state --state NEW -j ACCEPT

$IPT -t nat -A PREROUTING -p TCP -i $LAN1_IFACE \
--dport 80 -j REDIRECT --to-ports 8080

$IPT -t nat -A POSTROUTING -o $INET_IFACE \
-j SNAT --to-source $INET_IP

echo "1" > /proc/sys/net/ipv4/ip_forward

of course this is just my

so you'd need to edit and tighten it to suit your needs...

micxz · 01-16-2006, 09:03 PM

er

iptables -t nat -A PREROUTING -i $INTERNAL_IFACE -p tcp --dport 80 -j REDIRECT --to-port 8080

http://www.tldp.org/HOWTO/TransparentProxy.html