[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] we got DSL! :-)/Routing Discussion



I'm a bit over my head here, but I'll start the ball then others can
correct me...

I don't think you can do this.  You can certainly do pieces of it.
You are mixing application layer natting with routing issues.

Squid can listen on different ports via the http_port directive in
/etc/squid/squid.conf.

Various ports can be redirected to other destinations via the DNAT
capabilities of iptables.  However, I don't know if you can send it to
a different interface/gateway.

As a general rule, ip addresses route (the IP part of TCP/IP), ports
don't (TCP).  Ports can be forwarded to other ip's, but that is not the
same thing as routing.  Utilities like iptables enable you to change 
parts of the tcp/ip packet, but the underlying network must understand 
how to get the reply back to you.

One solution would be to have the teachers boxes default to the dsl
line. The telnet access could be done with a default route (since you 
know the destination ip).  You want the least restricted path to be the
default route.  Are your Linux boxes also your routers?

------------------------------------------------------------------------
Jim Wildman, CISSP                                      jim rossberry com
http://www.rossberry.com

On 31 Oct 2002, Barry Smoke wrote:

> This is actually a routing discussion...
> here is our predicament:
> 5 usable ip's on our dsl, 
> we are giving the bryantar.net domain to one of them, and throwing it on
> our webserver/e-mail server
> 
> another one, we want to put on our proxy, which is running iptables, and
> masquerading internal 10.x.x.x addresses through an ip address of
> 165.29.94.254(our existing state t-1 line)
> 
> now, we are a school, and we have to use filtering for the time being,
> along with APSCN (telnet) traffic having to go out our existing state
> t-1 line, so we can't just make our new dsl line the default route....
> 
> We want to be able to put in a proxy address with authentication into
> our administrative browsers, thus allowing us unlimited access to the
> internet through our dsl line(we will be playing with squidguard)
> but anyone else will be routed through the default t-1 line for
> internet...
> that I can tell, squid does not allow you to change the default route it
> uses, nor does it allow the change of the port, which would be better,
> because you could then write an iptables rule to catch all traffic to
> that port, and forward it to eth2(dsl), yet all other port 80 traffic
> through eth0
> 
> there is another catch:
> We also need to write iptables rules that catch certain destination
> addresses, and forward them through the new dsl line, instead of the
> t-1.  This is for sites that for one reason or another are not working
> with the state filter system, yet are essential to our teachers, and
> students(myskillstutor.com/skillstutor.com)
> 
> I guess squid is the key here....is it possible to change squid from
> using default route/port 80?
> 
> Any alternatives to squid?
> 
> hoping to keep squid, for use with squidguard....
> 
> Hoping to avoid using a seperate pc for squid....seems like a waste.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN redhat com
> https://listman.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
> 





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]