[K12OSN] Help with iptables

Brian Chivers brian at portsmouth-college.ac.uk
Fri Dec 12 12:00:51 UTC 2008 

James P. Kinney III wrote:
> Crud. Wrong chain and wrong target definition. see below
> On Thu, 2008-12-11 at 19:19 -0500, James P. Kinney III wrote:
>> On Thu, 2008-12-11 at 08:55 +0000, Brian Chivers wrote:
>>
>>> I'll try and draw a ASCII diagram, try being the word :-)
>>>
>>> Thinclients 10.0.0.x
>>>          |
>>>          |
>>>       Server 10.0.0.1
>>>              192.168.0.100
>>>          |
>>>          |
>>>       MAIN NETWORK (All servers on 192.168.0.x/16 - Proxy 192.168.0.80:8080
>>>          |
>>>          |
>>>       Firewall (Green Network - 192.168.0.2)
>>> 	      (Orange DMZ - 172.16.0.x)
>>> 	      (Red - 212.219.x.x)
>>>          |
>>>          |
>>>        CISCO to Internet
>>>
>>> What I don't want to is the thinclients to be able to access the internet WITHOUT the proxy but I'd 
>>> like them to be able to access the DMZ machines without using the proxy.
>>>
>> Ah! Now I see what you are doing!
>> On the thin client server you need ALL web traffic NOT going to the DMZ
>> machine to go through the proxy
>>
> 
> CORRECTED
>> iptables -A -t nat PREROUTING -d ! 172.16.0.0/255.255.255.0 -p tcp -m
>> tcp --dports 80,443 -j DNAT --to-destination 192.168.0.80:8080
>>
>>
>>
>> -- 
>> James P. Kinney III          
>> CEO & Director of Engineering 
>> Local Net Solutions,LLC                           
>> http://www.localnetsolutions.com
>>
>> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
>> <jkinney at localnetsolutions.com>
>> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
>>
>>

Thanks that almost got it but put me on the correct path, I had to play around with the order of the 
rules so this one was first then the other, I changed the rule so it didn't do any DNAT stuff just 
accepted so this is the contents of my iptables below

Thanks for everyone's input on this one, I've never played with iptables before but understand them 
a little more now, I say a little and that's a little litle more :-)

Brian

# Generated by iptables-save v1.3.5 on Fri Dec 12 11:54:40 2008
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -d 172.16.0.0/16 --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 172.16.0.0/16 --dport 80 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.80:8080
-A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.80:8080
COMMIT
# Completed on Fri Dec 12 11:54:40 2008
# Generated by iptables-save v1.3.5 on Fri Dec 12 11:54:40 2008
*filter
:INPUT ACCEPT [35598:124514018]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [35331:126241005]
COMMIT
# Completed on Fri Dec 12 11:54:40 2008
# Generated by iptables-save v1.3.5 on Fri Dec 12 11:54:40 2008
*mangle
:PREROUTING ACCEPT [35598:124514018]
:INPUT ACCEPT [35598:124514018]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [35331:126241005]
:POSTROUTING ACCEPT [35331:126241005]
COMMIT
# Completed on Fri Dec 12 11:54:40 2008

------------------------------------------------------------------------------------------------
    The views expressed here are my own and not necessarily
 
                the views of Portsmouth College

More information about the K12OSN mailing list