[K12OSN] iptables and prerouting for squid

KJ ksj2010 at myrealbox.com
Wed Nov 17 18:56:12 UTC 2004


You are correct in that this server is the only connection to the other 
network.  I have a blue cable that comes from my router to the 
"external" NIC (eth1) on the LTSP/squid box, a black cable that runs 
from my "internal" NIC (eth0) on the LTSP/squid box to a hub and a 
yellow cable that runs from that hub to my LTSP client that is booting 
from the server.  Is that the correct way? It seemed logical to me.

As for the default route, how would I double check that?

Thanks again, I owe you huge!
KJ

CORY CARTWRIGHT wrote:

> These are working for me, and I even started from a
> fresh system last night and followed the directions I
> gave you.  
> Ok, one more question, I'm correct in saying that this
> server is the only Ethernet connection to the other
> network?  They are not on the same hubs? and their
> default route is this system?
> 
> The part that bothers me is that the clients requests 
> are being forwarded and masqueraded to the "external"
> interface.  This does not need to happen with a proxy.
>  I think if you can find out how this is happening you
> can find your problem.  From you iptables-save output
> it does not look like this should be happening.  You
> should also be able to turn off forwarding.(although I
> have not tried that).
> 
> Cory 
> --- KJ <ksj2010 at myrealbox.com> wrote:
> 
> 
>>I have followed your instructions to the letter to
>>no avail.
>>
>>The thing that baffles me is that if I set the
>>browser in the LTSP 
>>terminal session to 127.0.0.1 port 3128 as the proxy
>>it blocks sites as 
>>promised, however the settings here do not.
>>
>>These settings are working for you and others for
>>LTSP and 
>>squid/squidguard running on the same box, yes?
>>
>>Thanks again!
>>KJ
>>
>>Cory Cartwright wrote:
>>
>>
>>>ok,, was this all commented out manually?  
>>>Where you type in the PREROUTING command by hand
>>
>>or putting it in this
>>
>>>script?
>>>
>>>If this is not what you have done I recommend the
>>
>>following:
>>
>>>regenerate the iptables script using
>>
>>system-config-securitylevel,
>>
>>>allowing for http, https, ssh and port 3128 and
>>
>>ftp if you have an ftp
>>
>>>server.
>>>
>>>after this is done make a backup copy:  cp
>>
>>/etc/sysconfig/iptables
>>
>>>/etc/sysconfig/iptables.old
>>>
>>>on the command line type:
>>>iptables -t nat -A PREROUTING -i eth0 -p tcp
>>
>>--dport 80 -j REDIRECT 
>>
>>>--to-port 3128
>>>
>>>if this is accepted then you can type:
>>>iptables-save >/etc/sysconfig/iptables
>>>
>>>and Finlay restart iptables: /etc/init.d/iptables
>>
>>restart
>>
>>>
>>>now using the system-config-securitylevel tool
>>
>>will over write this,
>>
>>>that is why I like to write my own firewall script
>>
>>and place it into the
>>
>>>startup.
>>>
>>>I apologize if you have done all of this and
>>
>>already know it. 
>>
>>>Cory
>>>
>>>
>>>
>>>
>>>On Tue, 2004-11-16 at 16:20, KJ wrote:
>>>
>>>
>>>>My turn to ask the dumb questions.  you mean the
>>
>>contents of
>>
>>>>/etc/sysconfig/iptables right?
>>>>If so, it's below.  
>>>>Thanks again!!! 
>>>>
>>>>----------------
>>>># Firewall configuration written by
>>
>>system-config-securitylevel
>>
>>>># Manual customization of this file is not
>>
>>recommended.
>>
>>>>#*filter
>>>>#:INPUT ACCEPT [0:0]
>>>>#:FORWARD ACCEPT [0:0]
>>>>#:OUTPUT ACCEPT [0:0]
>>>>#:RH-Firewall-1-INPUT - [0:0]
>>>>#-A INPUT -j RH-Firewall-1-INPUT
>>>>#-A FORWARD -j RH-Firewall-1-INPUT
>>>>#-A RH-Firewall-1-INPUT -i lo -j ACCEPT
>>>>#-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
>>>>#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j
>>
>>ACCEPT
>>
>>>>#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
>>>>#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
>>>>#-A RH-Firewall-1-INPUT -m state --state
>>
>>ESTABLISHED,RELATED -j ACCEPT
>>
>>>>#-A RH-Firewall-1-INPUT -m state --state NEW -m
>>
>>tcp -p tcp --dport 22 -j
>>
>>>>ACCEPT
>>>>#-A RH-Firewall-1-INPUT -j REJECT --reject-with
>>
>>icmp-host-prohibited
>>
>>>>#COMMIT
>>>>
>>>>*nat
>>>>:PREROUTING ACCEPT [0:0]
>>>>-A PREROUTING -i eth0 -p tcp --dport 80 -j
>>
>>REDIRECT --to-port 3128
>>
>>>>COMMIT
>>>>-----------------------
>>>>
>>>>On Tue, 2004-11-16 at 15:26, Cory Cartwright
>>
>>wrote:
>>
>>>>>to answer you last question,  you are not
>>
>>changing the source address,
>>
>>>>>so the request is still coming from the client,
>>
>>as far as the router is
>>
>>>>>concerned.
>>>>>
>>>>>could you send your iptables script?
>>>>>
>>>>>Cory
>>>>>corycartwright at sbcglobal.net
>>>>>
>>>>>
>>>>>On Tue, 2004-11-16 at 15:12, KJ wrote:
>>>>>
>>>>>
>>>>>>Hey Cory,
>>>>>>Yes the clients are still being sent to the
>>
>>internet.  I am setup as such:
>>
>>>>>>Server w/ eth0 (internal) setup with
>>
>>192.168.0.254/255.255.255.0 and 
>>
>>>>>>DHCP'ing to the clients (only 1 currently
>>
>>connected).
>>
>>>>>>same box w/ eth1 (external) connected to my
>>
>>internal network w/ a DHCP 
>>
>>>>>>assigned address from my router of
>>
>>192.168.2.17/255.255.255.0
>>
>>>>>>from your question I changed (briefly) my
>>
>>network to 10. etc. and 
>>
>>>>>>re-initialized the NIC, no change in behavior.
>>>>>>
>>>>>>I'm having a disconnect in my mind of how the
>>
>>logic of this works.  If I 
>>
>>>>>>have a Terminal session going to the LTSP/Squid
>>
>>server how is the 
>>
>>>>>>iptables entry supposed to route the traffic,
>>
>>doesn't the LTSP/Squid box 
>>
>>>>>>see the page requests as originating from itself
>>
>>and just plain route 
>>
>>>>>>them to the outside?
>>>>>>
>>>>>>Thanks!
>>>>>>KJ
>>>>>>
>>>>>>Cory Cartwright wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>the clients still get natted to the internet?
>>
>>What is the ip range for
>>
>>>>>>>the other interface? Is it the same subnet?
>>>>>>>
>>>>>>>
>>>>>>>On Tue, 2004-11-16 at 13:38, KJ wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>I must have something setup incorrectly.  I
>>
>>used -s 
>>
>>>>>>>>192.168.0.0/255.255.255.0 (and dropped the -i
>>
>>eth0) from the entry and 
>>
>>>>>>>>it's still not doing anything.
>>>>>>>>
>>>>>>>>I'm baffled.
>>>>>>>>Thanks for your insight.
>>>>>>>>KJ
>>>>>>>>
>>>>>>>>
>>>>>>>>Cory Cartwright wrote:
>>>>>>>>
>>>>>>>>  
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>One easy way to tell is change you PREROUTING
>>
>>to filter based on source
>>
>>>>>>>>>17x.xxx.xxx.xxx/xx instead of -i
>>>>>>>>>good luck!
>>>>>>>>>
>>>>>>>>>Cory
>>>>>>>>>
>>>>>>>>>On Tue, 2004-11-16 at 11:11, KJ wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>    
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>I think it's a great question.  eth0 is my
>>
>>internal LAN. 
>>
>>>>>>>>>>My setup is that I have one LTSP box to
>>
>>serve my 10 computers.  It has 
>>
>>>>>>>>>>two LAN cards, one is connected to the thin
>>
>>clients and the other is 
>>
>>>>>>>>>>connected to my internal LAN (which the
>>
>>teachers are on) The LTSP 
>>
>>>>>>>>>>sessions are the ones that I am attempting
>>
>>to 
> 
> === message truncated ===
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
> 
> 




More information about the K12OSN mailing list