iptables rule and/or proxy server help request
Pete Nesbitt
pete at linux1.ca
Fri Jul 23 01:15:14 UTC 2004
On July 20, 2004 09:25 am, Mike Burger wrote:
> I've got a pretty good iptables firewall in place which, at present,
> allows fairly broad access to the net from the machines behind the
> firewall.
>
> What I'd like to do, now, is have the firewall forward outbound packets
> for port 80 (to any address) to port 8080 on my server, which will then
> proxy (DansGuardian+Squid or Privoxy).
>
> I've tried this (keeping in mind that I'm trying it for one system, first,
> before implementing it network-wide):
>
> $IPTABLES -t nat -A PREROUTING -s 192.168.0.4 -p tcp --dport 80 -j DNAT
> --to 192.168.0.1:8080
> $IPTABLES -A FORWARD -i eth1 -p tcp --dport 80 -m state --state NEW -d
> 192.168.0.1 -j ACCEPT
>
> I've tried using a "REDIRECT", but then connections go absolutely
> nowhere...it seems that REDIRECT only works on the local system, not
> across the network.
>
> But then the proxies don't actually grab any info and present it back to
> the browser.
>
> If I set up direct proxy connections in the browsers, though, to the proxy
> server at 8080, it works just fine.
>
> Maybe it's not an iptables setting, but a proxy server setting I want?
> I'm at a loss.
> --
> Mike Burger
> http://www.bubbanfriends.org
>
Mike,
Your FORWARD rules are performed on the output of the PREROUTING.
So, preasuming 192.168.0.4 is the test station on the LAN & 192.168.0.1 is
the proxy server, you should be using "--dport 8080" not "--dport 80" in the
FORWARD.
--
Pete Nesbitt, rhce
More information about the redhat-list
mailing list