Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-13-2006, 02:30 PM
|
#1
|
LQ Newbie
Registered: Jan 2006
Location: Miami
Distribution: RH ES4
Posts: 12
Rep:
|
iptables port80 forward and snat
I have a RH ES4 box with 3 eth.ports and safesquid installed.
Safesquid listens on port 8080.
Eth0 = 1.1.1.1 (Internet connection)
Eth1 = 2.2.2.2
Eth2 = 192.168.1.1 (needs to be sNATted)
How do I setup iptables to:
1- Snat traffic coming in on eth2
2- port forward http traffic coming in on eth1 to port 8080 (so it will hit the safesquid running on the box)
Thanks for any help.
Peter.
|
|
|
01-14-2006, 09:33 AM
|
#2
|
Member
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227
Rep:
|
|
|
|
01-14-2006, 09:51 AM
|
#3
|
Senior Member
Registered: Sep 2002
Location: CA
Distribution: openSuSE, Cent OS, Slackware
Posts: 1,131
Rep:
|
How about something like:
$IPTABLES -A INPUT -i eth1 -p tcp --sport 80 --dport 8080 -j ACCEPT
just to get you started I can't tell you exactly for your setup.
snat?
Last edited by micxz; 01-14-2006 at 09:52 AM.
|
|
|
01-16-2006, 04:30 PM
|
#4
|
LQ Newbie
Registered: Jan 2006
Location: Miami
Distribution: RH ES4
Posts: 12
Original Poster
Rep:
|
I don't think this will work.
$IPTABLES -A INPUT -i eth1 -p tcp --sport 80 --dport 8080 -j ACCEPT
I'm just starting with IPtables, and correct me if i'm wrong, but I think what this line does is changing source port 80 to destination port 8080. What I need to do is redirect destination port 80 to destination port 8080 on the local box, which is a proxy.
I guess I didn't explain myself enough in my initial email.; my eth0 is connected to the internet with a static public IP, 1.1.1.1 . Eth1 connects to a group of users and has another static public IP (different subnet) 2.2.2.2, no NAT is required. for these users the proxy needs to work in transparent mode. I found an IPtables entry for that purpose;
I quote:
"The REDIRECT target is used to redirect packets and streams to the machine itself. This means that we could for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid, on our own host. Locally generated packets are mapped to the 127.0.0.1 address. In other words, this rewrites the destination address to our own host for packets that are forwarded, or something alike. The REDIRECT target is extremely good to use when we want, for example, transparent proxying, where the LAN hosts do not know about the proxy at all.
Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. It is also valid within user-defined chains that are only called from those chains, and nowhere else. The REDIRECT target takes only one option, as described below.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080"
My problem with this is that is seems to use NAT (or am I wrong?). And I don't want this traffic to be NATted.
2nd thing I want is that users connected on eth2 will be sNATted to eth0. eth0 has a private static IP 192.168.1.1/24. these users will use the proxy by using the proxy settings in their web browser to use port 8080. So I don't need to use the transparent setting as described earlier.
Is this possible?
|
|
|
01-16-2006, 04:40 PM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
sounds like you want something like this:
Code:
#!/bin/sh
IPT="/sbin/iptables"
INET_IFACE="eth0"
INET_IP="1.1.1.1"
LAN1_IFACE="eth1"
LAN2_IFACE="eth2"
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/ip_forward
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p TCP -i $LAN1_IFACE --dport 8080 \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A FORWARD -i $LAN1_IFACE -o $INET_IFACE \
#-m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $LAN2_IFACE -o $INET_IFACE \
-m state --state NEW -j ACCEPT
$IPT -t nat -A PREROUTING -p TCP -i $LAN1_IFACE \
--dport 80 -j REDIRECT --to-ports 8080
$IPT -t nat -A POSTROUTING -o $INET_IFACE \
-j SNAT --to-source $INET_IP
echo "1" > /proc/sys/net/ipv4/ip_forward
of course this is just my  so you'd need to edit and tighten it to suit your needs...
Last edited by win32sux; 01-16-2006 at 04:46 PM.
|
|
|
01-16-2006, 09:03 PM
|
#6
|
Senior Member
Registered: Sep 2002
Location: CA
Distribution: openSuSE, Cent OS, Slackware
Posts: 1,131
Rep:
|
er
iptables -t nat -A PREROUTING -i $INTERNAL_IFACE -p tcp --dport 80 -j REDIRECT --to-port 8080
http://www.tldp.org/HOWTO/TransparentProxy.html
|
|
|
All times are GMT -5. The time now is 10:04 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|