[K12OSN] iptables and prerouting for squid

KJ ksj2010 at myrealbox.com
Wed Nov 17 13:38:16 UTC 2004


I have followed your instructions to the letter to no avail.

The thing that baffles me is that if I set the browser in the LTSP 
terminal session to 127.0.0.1 port 3128 as the proxy it blocks sites as 
promised, however the settings here do not.

These settings are working for you and others for LTSP and 
squid/squidguard running on the same box, yes?

Thanks again!
KJ

Cory Cartwright wrote:

> ok,, was this all commented out manually?  
> Where you type in the PREROUTING command by hand or putting it in this
> script?
> 
> If this is not what you have done I recommend the following:
> regenerate the iptables script using system-config-securitylevel,
> allowing for http, https, ssh and port 3128 and ftp if you have an ftp
> server.
> 
> after this is done make a backup copy:  cp /etc/sysconfig/iptables
> /etc/sysconfig/iptables.old
> 
> on the command line type:
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
> --to-port 3128
> 
> if this is accepted then you can type:
> iptables-save >/etc/sysconfig/iptables
> 
> and Finlay restart iptables: /etc/init.d/iptables restart
> 
> 
> now using the system-config-securitylevel tool will over write this,
> that is why I like to write my own firewall script and place it into the
> startup.
> 
> I apologize if you have done all of this and already know it. 
> 
> Cory
> 
> 
> 
> 
> On Tue, 2004-11-16 at 16:20, KJ wrote:
> 
>>My turn to ask the dumb questions.  you mean the contents of
>>/etc/sysconfig/iptables right?
>>If so, it's below.  
>>Thanks again!!! 
>>
>>----------------
>># Firewall configuration written by system-config-securitylevel
>># Manual customization of this file is not recommended.
>>#*filter
>>#:INPUT ACCEPT [0:0]
>>#:FORWARD ACCEPT [0:0]
>>#:OUTPUT ACCEPT [0:0]
>>#:RH-Firewall-1-INPUT - [0:0]
>>#-A INPUT -j RH-Firewall-1-INPUT
>>#-A FORWARD -j RH-Firewall-1-INPUT
>>#-A RH-Firewall-1-INPUT -i lo -j ACCEPT
>>#-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
>>#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>>#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
>>#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
>>#-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
>>ACCEPT
>>#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>#COMMIT
>>
>>*nat
>>:PREROUTING ACCEPT [0:0]
>>-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
>>COMMIT
>>-----------------------
>>
>>On Tue, 2004-11-16 at 15:26, Cory Cartwright wrote:
>>
>>>to answer you last question,  you are not changing the source address,
>>>so the request is still coming from the client, as far as the router is
>>>concerned.
>>>
>>>could you send your iptables script?
>>>
>>>Cory
>>>corycartwright at sbcglobal.net
>>>
>>>
>>>On Tue, 2004-11-16 at 15:12, KJ wrote:
>>>
>>>>Hey Cory,
>>>>Yes the clients are still being sent to the internet.  I am setup as such:
>>>>Server w/ eth0 (internal) setup with 192.168.0.254/255.255.255.0 and 
>>>>DHCP'ing to the clients (only 1 currently connected).
>>>>
>>>>same box w/ eth1 (external) connected to my internal network w/ a DHCP 
>>>>assigned address from my router of 192.168.2.17/255.255.255.0
>>>>
>>>>from your question I changed (briefly) my network to 10. etc. and 
>>>>re-initialized the NIC, no change in behavior.
>>>>
>>>>I'm having a disconnect in my mind of how the logic of this works.  If I 
>>>>have a Terminal session going to the LTSP/Squid server how is the 
>>>>iptables entry supposed to route the traffic, doesn't the LTSP/Squid box 
>>>>see the page requests as originating from itself and just plain route 
>>>>them to the outside?
>>>>
>>>>Thanks!
>>>>KJ
>>>>
>>>>Cory Cartwright wrote:
>>>>
>>>>
>>>>>the clients still get natted to the internet? What is the ip range for
>>>>>the other interface? Is it the same subnet?
>>>>>
>>>>>
>>>>>On Tue, 2004-11-16 at 13:38, KJ wrote:
>>>>> 
>>>>>
>>>>>
>>>>>>I must have something setup incorrectly.  I used -s 
>>>>>>192.168.0.0/255.255.255.0 (and dropped the -i eth0) from the entry and 
>>>>>>it's still not doing anything.
>>>>>>
>>>>>>I'm baffled.
>>>>>>Thanks for your insight.
>>>>>>KJ
>>>>>>
>>>>>>
>>>>>>Cory Cartwright wrote:
>>>>>>
>>>>>>   
>>>>>>
>>>>>>
>>>>>>>One easy way to tell is change you PREROUTING to filter based on source
>>>>>>>17x.xxx.xxx.xxx/xx instead of -i
>>>>>>>good luck!
>>>>>>>
>>>>>>>Cory
>>>>>>>
>>>>>>>On Tue, 2004-11-16 at 11:11, KJ wrote:
>>>>>>>
>>>>>>>
>>>>>>>     
>>>>>>>
>>>>>>>
>>>>>>>>I think it's a great question.  eth0 is my internal LAN. 
>>>>>>>>
>>>>>>>>My setup is that I have one LTSP box to serve my 10 computers.  It has 
>>>>>>>>two LAN cards, one is connected to the thin clients and the other is 
>>>>>>>>connected to my internal LAN (which the teachers are on) The LTSP 
>>>>>>>>sessions are the ones that I am attempting to route into squidguard. 
>>>>>>>>
>>>>>>>>Maybe this is my problem, I have the requests coming in from the thin 
>>>>>>>>clients, the server thinks it is coming from itself and routes it out to 
>>>>>>>>the internet.  does that make sense?
>>>>>>>>
>>>>>>>>thanks again!
>>>>>>>>KJ
>>>>>>>>
>>>>>>>>Cory Cartwright wrote:
>>>>>>>>
>>>>>>>>  
>>>>>>>>
>>>>>>>>       
>>>>>>>>
>>>>>>>>
>>>>>>>>>Sorry if this is a dumb question, but is eth0 you internal LAN? Maybe
>>>>>>>>>instead specify the address -s 172.x.x.x/xx  (put your subnet in) and
>>>>>>>>>remove -i eth0
>>>>>>>>>
>>>>>>>>>Cory
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>    
>>>>>>>>>
>>>>>>>>>         
>>>>>>>>>
>>>>>>>>
>>>>>>>>_______________________________________________
>>>>>>>>K12OSN mailing list
>>>>>>>>K12OSN at redhat.com
>>>>>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>>>>>For more info see <http://www.k12os.org>
>>>>>>>>  
>>>>>>>>
>>>>>>>>       
>>>>>>>>
>>>>>>>
>>>>>>>_______________________________________________
>>>>>>>K12OSN mailing list
>>>>>>>K12OSN at redhat.com
>>>>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>>>>For more info see <http://www.k12os.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>     
>>>>>>>
>>>>>>
>>>>>>_______________________________________________
>>>>>>K12OSN mailing list
>>>>>>K12OSN at redhat.com
>>>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>>>For more info see <http://www.k12os.org>
>>>>>>   
>>>>>>
>>>>>
>>>>>_______________________________________________
>>>>>K12OSN mailing list
>>>>>K12OSN at redhat.com
>>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>>For more info see <http://www.k12os.org>
>>>>>
>>>>> 
>>>>>
>>>>
>>>>_______________________________________________
>>>>K12OSN mailing list
>>>>K12OSN at redhat.com
>>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>>For more info see <http://www.k12os.org>
>>>
>>>_______________________________________________
>>>K12OSN mailing list
>>>K12OSN at redhat.com
>>>https://www.redhat.com/mailman/listinfo/k12osn
>>>For more info see <http://www.k12os.org>
>>>
>>_______________________________________________
>>K12OSN mailing list
>>K12OSN at redhat.com
>>https://www.redhat.com/mailman/listinfo/k12osn
>>For more info see <http://www.k12os.org>
> 
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
> 
> 




More information about the K12OSN mailing list