[K12OSN] iptables and prerouting for squid

KJ ksj2010 at myrealbox.com
Wed Nov 17 04:08:10 UTC 2004 

Thanks Cory,
I actually commented it all out manually.  I was trying to get to the 
cleanest point to see if I could figure out what was wrong.  I'll try 
this out first thing.
thanks again!
KJ


Cory Cartwright wrote:

>ok,, was this all commented out manually?  
>Where you type in the PREROUTING command by hand or putting it in this
>script?
>
>If this is not what you have done I recommend the following:
>regenerate the iptables script using system-config-securitylevel,
>allowing for http, https, ssh and port 3128 and ftp if you have an ftp
>server.
>
>after this is done make a backup copy:  cp /etc/sysconfig/iptables
>/etc/sysconfig/iptables.old
>
>on the command line type:
>iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
>--to-port 3128
>
>if this is accepted then you can type:
>iptables-save >/etc/sysconfig/iptables
>
>and Finlay restart iptables: /etc/init.d/iptables restart
>
>
>now using the system-config-securitylevel tool will over write this,
>that is why I like to write my own firewall script and place it into the
>startup.
>
>I apologize if you have done all of this and already know it. 
>
>Cory
>
>
>
>
>On Tue, 2004-11-16 at 16:20, KJ wrote:
>  
>
>>My turn to ask the dumb questions.  you mean the contents of
>>/etc/sysconfig/iptables right?
>>If so, it's below.  
>>Thanks again!!! 
>>
>>----------------
>># Firewall configuration written by system-config-securitylevel
>># Manual customization of this file is not recommended.
>>#*filter
>>#:INPUT ACCEPT [0:0]
>>#:FORWARD ACCEPT [0:0]
>>#:OUTPUT ACCEPT [0:0]
>>#:RH-Firewall-1-INPUT - [0:0]
>>#-A INPUT -j RH-Firewall-1-INPUT
>>#-A FORWARD -j RH-Firewall-1-INPUT
>>#-A RH-Firewall-1-INPUT -i lo -j ACCEPT
>>#-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
>>#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>>#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
>>#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
>>#-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
>>ACCEPT
>>#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>#COMMIT
>>
>>*nat
>>:PREROUTING ACCEPT [0:0]
>>-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
>>COMMIT
>>-----------------------
>>
>>On Tue, 2004-11-16 at 15:26, Cory Cartwright wrote:
>>    
>>
>>>to answer you last question,  you are not changing the source address,
>>>so the request is still coming from the client, as far as the router is
>>>concerned.
>>>
>>>could you send your iptables script?
>>>
>>>Cory
>>>corycartwright at sbcglobal.net
>>>
>>>
>>>On Tue, 2004-11-16 at 15:12, KJ wrote:
>>>      
>>>
>>>>Hey Cory,
>>>>Yes the clients are still being sent to the internet.  I am setup as such:
>>>>Server w/ eth0 (internal) setup with 192.168.0.254/255.255.255.0 and 
>>>>DHCP'ing to the clients (only 1 currently connected).
>>>>
>>>>same box w/ eth1 (external) connected to my internal network w/ a DHCP 
>>>>assigned address from my router of 192.168.2.17/255.255.255.0
>>>>
>>>>from your question I changed (briefly) my network to 10. etc. and 
>>>>re-initialized the NIC, no change in behavior.
>>>>
>>>>I'm having a disconnect in my mind of how the logic of this works.  If I 
>>>>have a Terminal session going to the LTSP/Squid server how is the 
>>>>iptables entry supposed to route the traffic, doesn't the LTSP/Squid box 
>>>>see the page requests as originating from itself and just plain route 
>>>>them to the outside?
>>>>
>>>>Thanks!
>>>>KJ
>>>>
>>>>Cory Cartwright wrote:
>>>>
>>>>        
>>>>
>>>>>the clients still get natted to the internet? What is the ip range for
>>>>>the other interface? Is it the same subnet?
>>>>>
>>>>>
>>>>>On Tue, 2004-11-16 at 13:38, KJ wrote:
>>>>> 
>>>>>
>>>>>          
>>>>>
>>>>>>I must have something setup incorrectly.  I used -s 
>>>>>>192.168.0.0/255.255.255.0 (and dropped the -i eth0) from the entry and 
>>>>>>it's still not doing anything.
>>>>>>
>>>>>>I'm baffled.
>>>>>>Thanks for your insight.
>>>>>>KJ
>>>>>>
>>>>>>
>>>>>>Cory Cartwright wrote:
>>>>>>
>>>>>>   
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>One easy way to tell is change you PREROUTING to filter based on source
>>>>>>>17x.xxx.xxx.xxx/xx instead of -i
>>>>>>>good luck!
>>>>>>>
>>>>>>>Cory
>>>>>>>
>>>>>>>On Tue, 2004-11-16 at 11:11, KJ wrote:
>>>>>>>
>>>>>>>
>>>>>>>     
>>>>>>>
>>>>>>>              
>>>>>>>
>>>>>>>>I think it's a great question.  eth0 is my internal LAN. 
>>>>>>>>
>>>>>>>>My setup is that I have one LTSP box to serve my 10 computers.  It has 
>>>>>>>>two LAN cards, one is connected to the thin clients and the other is 
>>>>>>>>connected to my internal LAN (which the teachers are on) The LTSP 
>>>>>>>>sessions are the ones that I am attempting to route into squidguard. 
>>>>>>>>
>>>>>>>>Maybe this is my problem, I have the requests coming in from the thin 
>>>>>>>>clients, the server thinks it is coming from itself and routes it out to 
>>>>>>>>the internet.  does that make sense?
>>>>>>>>
>>>>>>>>thanks again!
>>>>>>>>KJ
>>>>>>>>
>>>>>>>>Cory Cartwright wrote:
>>>>>>>>
>>>>>>>>  
>>>>>>>>
>>>>>>>>       
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>>>Sorry if this is a dumb question, but is eth0 you internal LAN? Maybe
>>>>>>>>>instead specify the address -s 172.x.x.x/xx  (put your subnet in) and
>>>>>>>>>remove -i eth0
>>>>>>>>>
>>>>>>>>>Cory
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>    
>>>>>>>>>
>>>>>>>>>         
>>>>>>>>>
>>>>>>>>>                  
>>>>>>>>>
>>>>>>>>_______________________________________________
>>>>>>>>K12OSN mailing list
>>>>>>>>K12OSN at redhat.com
>>>>>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>>>>>For more info see <http://www.k12os.org>
>>>>>>>>  
>>>>>>>>
>>>>>>>>       
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>_______________________________________________
>>>>>>>K12OSN mailing list
>>>>>>>K12OSN at redhat.com
>>>>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>>>>For more info see <http://www.k12os.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>     
>>>>>>>
>>>>>>>              
>>>>>>>
>>>>>>_______________________________________________
>>>>>>K12OSN mailing list
>>>>>>K12OSN at redhat.com
>>>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>>>For more info see <http://www.k12os.org>
>>>>>>   
>>>>>>
>>>>>>            
>>>>>>
>>>>>_______________________________________________
>>>>>K12OSN mailing list
>>>>>K12OSN at redhat.com
>>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>>For more info see <http://www.k12os.org>
>>>>>
>>>>> 
>>>>>
>>>>>          
>>>>>
>>>>_______________________________________________
>>>>K12OSN mailing list
>>>>K12OSN at redhat.com
>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>For more info see <http://www.k12os.org>
>>>>        
>>>>
>>>_______________________________________________
>>>K12OSN mailing list
>>>K12OSN at redhat.com
>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>For more info see <http://www.k12os.org>
>>>
>>>      
>>>
>>_______________________________________________
>>K12OSN mailing list
>>K12OSN at redhat.com
>>https://www.redhat.com/mailman/listinfo/k12osn
>>For more info see <http://www.k12os.org>
>>    
>>
>
>_______________________________________________
>K12OSN mailing list
>K12OSN at redhat.com
>https://www.redhat.com/mailman/listinfo/k12osn
>For more info see <http://www.k12os.org>
>
>  
>

More information about the K12OSN mailing list