On Wed, Aug 07, 2002 at 01:40:34PM -0400, Robert Clay wrote: > Ah; it needs to be done for each interaface? Or is there a more generic > way of doing it? > > >>> Vineet Kumar <[EMAIL PROTECTED]> 08/07/02 01:31PM >>> > * Janusz Ulanowski ([EMAIL PROTECTED]) [020807 08:25]: > > > but it's working for incoming packets, from my localhost isn't work > > iptables -t nat -A PREROUTING -p tcp --dport 80 -i lo -j DNAT \ > --to 192.168.0.1:8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j REDIRECT \ --to-ports 8080 iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner \! --uid-owner 13 \ -j REDIRECT --to-ports 8080 Should work. I tested it on my own firewall, although I just tested it with netcat, not a real proxy. Locally generated packets don't go through the PREROUTING chain, so you have to manipulate them in OUTPUT, and you also have to differentiate them from the proxy's outgoing packets, hence the match against uid 13 (proxy), taken from /etc/passwd. Unfortunately, you'll have to enable owner match support in your kernel for the second line to work, so you might have to recompile (it's one of the features labelled experimental). Jason
