[K12OSN] iptables and prerouting for squid

KJ ksj2010 at myrealbox.com
Tue Nov 16 21:20:36 UTC 2004 

My turn to ask the dumb questions.  you mean the contents of
/etc/sysconfig/iptables right?
If so, it's below.  
Thanks again!!! 

----------------
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
#*filter
#:INPUT ACCEPT [0:0]
#:FORWARD ACCEPT [0:0]
#:OUTPUT ACCEPT [0:0]
#:RH-Firewall-1-INPUT - [0:0]
#-A INPUT -j RH-Firewall-1-INPUT
#-A FORWARD -j RH-Firewall-1-INPUT
#-A RH-Firewall-1-INPUT -i lo -j ACCEPT
#-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
#COMMIT

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT
-----------------------

On Tue, 2004-11-16 at 15:26, Cory Cartwright wrote:
> to answer you last question,  you are not changing the source address,
> so the request is still coming from the client, as far as the router is
> concerned.
> 
> could you send your iptables script?
> 
> Cory
> corycartwright at sbcglobal.net
> 
> 
> On Tue, 2004-11-16 at 15:12, KJ wrote:
> > Hey Cory,
> > Yes the clients are still being sent to the internet.  I am setup as such:
> > Server w/ eth0 (internal) setup with 192.168.0.254/255.255.255.0 and 
> > DHCP'ing to the clients (only 1 currently connected).
> > 
> > same box w/ eth1 (external) connected to my internal network w/ a DHCP 
> > assigned address from my router of 192.168.2.17/255.255.255.0
> > 
> > from your question I changed (briefly) my network to 10. etc. and 
> > re-initialized the NIC, no change in behavior.
> > 
> > I'm having a disconnect in my mind of how the logic of this works.  If I 
> > have a Terminal session going to the LTSP/Squid server how is the 
> > iptables entry supposed to route the traffic, doesn't the LTSP/Squid box 
> > see the page requests as originating from itself and just plain route 
> > them to the outside?
> > 
> > Thanks!
> > KJ
> > 
> > Cory Cartwright wrote:
> > 
> > >the clients still get natted to the internet? What is the ip range for
> > >the other interface? Is it the same subnet?
> > >
> > >
> > >On Tue, 2004-11-16 at 13:38, KJ wrote:
> > >  
> > >
> > >>I must have something setup incorrectly.  I used -s 
> > >>192.168.0.0/255.255.255.0 (and dropped the -i eth0) from the entry and 
> > >>it's still not doing anything.
> > >>
> > >>I'm baffled.
> > >>Thanks for your insight.
> > >>KJ
> > >>
> > >>
> > >>Cory Cartwright wrote:
> > >>
> > >>    
> > >>
> > >>>One easy way to tell is change you PREROUTING to filter based on source
> > >>>17x.xxx.xxx.xxx/xx instead of -i
> > >>>good luck!
> > >>>
> > >>>Cory
> > >>>
> > >>>On Tue, 2004-11-16 at 11:11, KJ wrote:
> > >>> 
> > >>>
> > >>>      
> > >>>
> > >>>>I think it's a great question.  eth0 is my internal LAN. 
> > >>>>
> > >>>>My setup is that I have one LTSP box to serve my 10 computers.  It has 
> > >>>>two LAN cards, one is connected to the thin clients and the other is 
> > >>>>connected to my internal LAN (which the teachers are on) The LTSP 
> > >>>>sessions are the ones that I am attempting to route into squidguard. 
> > >>>>
> > >>>>Maybe this is my problem, I have the requests coming in from the thin 
> > >>>>clients, the server thinks it is coming from itself and routes it out to 
> > >>>>the internet.  does that make sense?
> > >>>>
> > >>>>thanks again!
> > >>>>KJ
> > >>>>
> > >>>>Cory Cartwright wrote:
> > >>>>
> > >>>>   
> > >>>>
> > >>>>        
> > >>>>
> > >>>>>Sorry if this is a dumb question, but is eth0 you internal LAN? Maybe
> > >>>>>instead specify the address -s 172.x.x.x/xx  (put your subnet in) and
> > >>>>>remove -i eth0
> > >>>>>
> > >>>>>Cory
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>     
> > >>>>>
> > >>>>>          
> > >>>>>
> > >>>>_______________________________________________
> > >>>>K12OSN mailing list
> > >>>>K12OSN at redhat.com
> > >>>>https://www.redhat.com/mailman/listinfo/k12osn
> > >>>>For more info see <http://www.k12os.org>
> > >>>>   
> > >>>>
> > >>>>        
> > >>>>
> > >>>_______________________________________________
> > >>>K12OSN mailing list
> > >>>K12OSN at redhat.com
> > >>>https://www.redhat.com/mailman/listinfo/k12osn
> > >>>For more info see <http://www.k12os.org>
> > >>>
> > >>> 
> > >>>
> > >>>      
> > >>>
> > >>_______________________________________________
> > >>K12OSN mailing list
> > >>K12OSN at redhat.com
> > >>https://www.redhat.com/mailman/listinfo/k12osn
> > >>For more info see <http://www.k12os.org>
> > >>    
> > >>
> > >
> > >_______________________________________________
> > >K12OSN mailing list
> > >K12OSN at redhat.com
> > >https://www.redhat.com/mailman/listinfo/k12osn
> > >For more info see <http://www.k12os.org>
> > >
> > >  
> > >
> > 
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>

More information about the K12OSN mailing list