[K12OSN] iptables and prerouting for squid
KJ
ksj2010 at myrealbox.com
Wed Nov 17 04:08:10 UTC 2004
Thanks Cory,
I actually commented it all out manually. I was trying to get to the
cleanest point to see if I could figure out what was wrong. I'll try
this out first thing.
thanks again!
KJ
Cory Cartwright wrote:
>ok,, was this all commented out manually?
>Where you type in the PREROUTING command by hand or putting it in this
>script?
>
>If this is not what you have done I recommend the following:
>regenerate the iptables script using system-config-securitylevel,
>allowing for http, https, ssh and port 3128 and ftp if you have an ftp
>server.
>
>after this is done make a backup copy: cp /etc/sysconfig/iptables
>/etc/sysconfig/iptables.old
>
>on the command line type:
>iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>--to-port 3128
>
>if this is accepted then you can type:
>iptables-save >/etc/sysconfig/iptables
>
>and Finlay restart iptables: /etc/init.d/iptables restart
>
>
>now using the system-config-securitylevel tool will over write this,
>that is why I like to write my own firewall script and place it into the
>startup.
>
>I apologize if you have done all of this and already know it.
>
>Cory
>
>
>
>
>On Tue, 2004-11-16 at 16:20, KJ wrote:
>
>
>>My turn to ask the dumb questions. you mean the contents of
>>/etc/sysconfig/iptables right?
>>If so, it's below.
>>Thanks again!!!
>>
>>----------------
>># Firewall configuration written by system-config-securitylevel
>># Manual customization of this file is not recommended.
>>#*filter
>>#:INPUT ACCEPT [0:0]
>>#:FORWARD ACCEPT [0:0]
>>#:OUTPUT ACCEPT [0:0]
>>#:RH-Firewall-1-INPUT - [0:0]
>>#-A INPUT -j RH-Firewall-1-INPUT
>>#-A FORWARD -j RH-Firewall-1-INPUT
>>#-A RH-Firewall-1-INPUT -i lo -j ACCEPT
>>#-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
>>#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>>#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
>>#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
>>#-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
>>ACCEPT
>>#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>#COMMIT
>>
>>*nat
>>:PREROUTING ACCEPT [0:0]
>>-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
>>COMMIT
>>-----------------------
>>
>>On Tue, 2004-11-16 at 15:26, Cory Cartwright wrote:
>>
>>
>>>to answer you last question, you are not changing the source address,
>>>so the request is still coming from the client, as far as the router is
>>>concerned.
>>>
>>>could you send your iptables script?
>>>
>>>Cory
>>>corycartwright at sbcglobal.net
>>>
>>>
>>>On Tue, 2004-11-16 at 15:12, KJ wrote:
>>>
>>>
>>>>Hey Cory,
>>>>Yes the clients are still being sent to the internet. I am setup as such:
>>>>Server w/ eth0 (internal) setup with 192.168.0.254/255.255.255.0 and
>>>>DHCP'ing to the clients (only 1 currently connected).
>>>>
>>>>same box w/ eth1 (external) connected to my internal network w/ a DHCP
>>>>assigned address from my router of 192.168.2.17/255.255.255.0
>>>>
>>>>from your question I changed (briefly) my network to 10. etc. and
>>>>re-initialized the NIC, no change in behavior.
>>>>
>>>>I'm having a disconnect in my mind of how the logic of this works. If I
>>>>have a Terminal session going to the LTSP/Squid server how is the
>>>>iptables entry supposed to route the traffic, doesn't the LTSP/Squid box
>>>>see the page requests as originating from itself and just plain route
>>>>them to the outside?
>>>>
>>>>Thanks!
>>>>KJ
>>>>
>>>>Cory Cartwright wrote:
>>>>
>>>>
>>>>
>>>>>the clients still get natted to the internet? What is the ip range for
>>>>>the other interface? Is it the same subnet?
>>>>>
>>>>>
>>>>>On Tue, 2004-11-16 at 13:38, KJ wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>I must have something setup incorrectly. I used -s
>>>>>>192.168.0.0/255.255.255.0 (and dropped the -i eth0) from the entry and
>>>>>>it's still not doing anything.
>>>>>>
>>>>>>I'm baffled.
>>>>>>Thanks for your insight.
>>>>>>KJ
>>>>>>
>>>>>>
>>>>>>Cory Cartwright wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>One easy way to tell is change you PREROUTING to filter based on source
>>>>>>>17x.xxx.xxx.xxx/xx instead of -i
>>>>>>>good luck!
>>>>>>>
>>>>>>>Cory
>>>>>>>
>>>>>>>On Tue, 2004-11-16 at 11:11, KJ wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>I think it's a great question. eth0 is my internal LAN.
>>>>>>>>
>>>>>>>>My setup is that I have one LTSP box to serve my 10 computers. It has
>>>>>>>>two LAN cards, one is connected to the thin clients and the other is
>>>>>>>>connected to my internal LAN (which the teachers are on) The LTSP
>>>>>>>>sessions are the ones that I am attempting to route into squidguard.
>>>>>>>>
>>>>>>>>Maybe this is my problem, I have the requests coming in from the thin
>>>>>>>>clients, the server thinks it is coming from itself and routes it out to
>>>>>>>>the internet. does that make sense?
>>>>>>>>
>>>>>>>>thanks again!
>>>>>>>>KJ
>>>>>>>>
>>>>>>>>Cory Cartwright wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>Sorry if this is a dumb question, but is eth0 you internal LAN? Maybe
>>>>>>>>>instead specify the address -s 172.x.x.x/xx (put your subnet in) and
>>>>>>>>>remove -i eth0
>>>>>>>>>
>>>>>>>>>Cory
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>_______________________________________________
>>>>>>>>K12OSN mailing list
>>>>>>>>K12OSN at redhat.com
>>>>>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>>>>>For more info see <http://www.k12os.org>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>_______________________________________________
>>>>>>>K12OSN mailing list
>>>>>>>K12OSN at redhat.com
>>>>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>>>>For more info see <http://www.k12os.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>_______________________________________________
>>>>>>K12OSN mailing list
>>>>>>K12OSN at redhat.com
>>>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>>>For more info see <http://www.k12os.org>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>_______________________________________________
>>>>>K12OSN mailing list
>>>>>K12OSN at redhat.com
>>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>>For more info see <http://www.k12os.org>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>_______________________________________________
>>>>K12OSN mailing list
>>>>K12OSN at redhat.com
>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>For more info see <http://www.k12os.org>
>>>>
>>>>
>>>_______________________________________________
>>>K12OSN mailing list
>>>K12OSN at redhat.com
>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>For more info see <http://www.k12os.org>
>>>
>>>
>>>
>>_______________________________________________
>>K12OSN mailing list
>>K12OSN at redhat.com
>>https://www.redhat.com/mailman/listinfo/k12osn
>>For more info see <http://www.k12os.org>
>>
>>
>
>_______________________________________________
>K12OSN mailing list
>K12OSN at redhat.com
>https://www.redhat.com/mailman/listinfo/k12osn
>For more info see <http://www.k12os.org>
>
>
>
More information about the K12OSN
mailing list