[K12OSN] Help with iptables

James P. Kinney III jkinney at localnetsolutions.com
Sat Dec 13 15:08:35 UTC 2008 

Excellent! It could have been done with a rule insert but that requires
knowing the existing order.

iptable can be an entire career! Every iteration adds new features that
are astounding in their ability. The really amazing part is how little
impact it has on total network throughput.

On Fri, 2008-12-12 at 12:00 +0000, Brian Chivers wrote:
> James P. Kinney III wrote:
> > Crud. Wrong chain and wrong target definition. see below
> > On Thu, 2008-12-11 at 19:19 -0500, James P. Kinney III wrote:
> >> On Thu, 2008-12-11 at 08:55 +0000, Brian Chivers wrote:
> >>
> >>> I'll try and draw a ASCII diagram, try being the word :-)
> >>>
> >>> Thinclients 10.0.0.x
> >>>          |
> >>>          |
> >>>       Server 10.0.0.1
> >>>              192.168.0.100
> >>>          |
> >>>          |
> >>>       MAIN NETWORK (All servers on 192.168.0.x/16 - Proxy 192.168.0.80:8080
> >>>          |
> >>>          |
> >>>       Firewall (Green Network - 192.168.0.2)
> >>> 	      (Orange DMZ - 172.16.0.x)
> >>> 	      (Red - 212.219.x.x)
> >>>          |
> >>>          |
> >>>        CISCO to Internet
> >>>
> >>> What I don't want to is the thinclients to be able to access the internet WITHOUT the proxy but I'd 
> >>> like them to be able to access the DMZ machines without using the proxy.
> >>>
> >> Ah! Now I see what you are doing!
> >> On the thin client server you need ALL web traffic NOT going to the DMZ
> >> machine to go through the proxy
> >>
> > 
> > CORRECTED
> >> iptables -A -t nat PREROUTING -d ! 172.16.0.0/255.255.255.0 -p tcp -m
> >> tcp --dports 80,443 -j DNAT --to-destination 192.168.0.80:8080
> >>
> >>
> >>
> >> -- 
> >> James P. Kinney III          
> >> CEO & Director of Engineering 
> >> Local Net Solutions,LLC                           
> >> http://www.localnetsolutions.com
> >>
> >> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> >> <jkinney at localnetsolutions.com>
> >> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
> >>
> >>
> 
> Thanks that almost got it but put me on the correct path, I had to play around with the order of the 
> rules so this one was first then the other, I changed the rule so it didn't do any DNAT stuff just 
> accepted so this is the contents of my iptables below
> 
> Thanks for everyone's input on this one, I've never played with iptables before but understand them 
> a little more now, I say a little and that's a little litle more :-)
> 
> Brian
> 
> # Generated by iptables-save v1.3.5 on Fri Dec 12 11:54:40 2008
> *nat
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A PREROUTING -p tcp -m tcp -d 172.16.0.0/16 --dport 80 -j ACCEPT
> -A OUTPUT -p tcp -m tcp -d 172.16.0.0/16 --dport 80 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.80:8080
> -A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.80:8080
> COMMIT
> # Completed on Fri Dec 12 11:54:40 2008
> # Generated by iptables-save v1.3.5 on Fri Dec 12 11:54:40 2008
> *filter
> :INPUT ACCEPT [35598:124514018]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [35331:126241005]
> COMMIT
> # Completed on Fri Dec 12 11:54:40 2008
> # Generated by iptables-save v1.3.5 on Fri Dec 12 11:54:40 2008
> *mangle
> :PREROUTING ACCEPT [35598:124514018]
> :INPUT ACCEPT [35598:124514018]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [35331:126241005]
> :POSTROUTING ACCEPT [35331:126241005]
> COMMIT
> # Completed on Fri Dec 12 11:54:40 2008
> 
> ------------------------------------------------------------------------------------------------
>     The views expressed here are my own and not necessarily
>  
>                 the views of Portsmouth College    
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
> 
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC                           
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the K12OSN mailing list