On Wednesday 10 December 2003 01:22 Anno Domini, Ray Olszewski wrote using one 
of his keyboards:
> At 12:21 AM 12/10/2003 +0200, Petre Bandac wrote:
> >hello
> >
> >I have the following problem:
> >
> >I want all the http traffic (dport 80) to be redirected to some other
> >machine,
> >from where the packets should go out on the internet
> >
> >I have tried to SNAT, but it seems that it isn't possible only with
> > iptables
> >
> >on the second machine there should be squid running to take care of the
> >incoming packets, or what ?
> >
> >(please cc to me, because though I'm subscribed to this list, messages
> >stopped
> >arriving to me since april 19th)
>
> First the incidental part: if you are not getting list mail, you are
> probably not subscribed. The vger server will detect some mail delievery
> failures and auto-unsubscribe addresses. So if you had a transient e-mail
> failure, one that left you unable to receive mail for a day or so, that
> might have caused you to be unsubscribed. (Or it may be something else, of
> course; I only mention this because any time one stops getting list mail
> for no apparent reason, it is worth verifying that you are still
> subscribed. Over the 5 years or so I've been on this list, I've been
> involuntarily unsubscribed about a half dozen times.)

I resubscribed and it works now :-)

> Now your actual question:  I don't *quite* understand what you want to
> accomplish here, so some of this is guessing.

linux_1 193.231.x.x is routing a subnet (routable)
linux_2 is on the same network with linux_1 (193.231.x.x)

all the traffic from the subnet going to port 80 must be redirected to linux_2 
(this redirection I presume should be made by linux_1), and from there go to 
its destination (yahoo.com or whatever)

so, linux_2 should have proxy (squid or apache, as you say) or it can do snat 
or whatever trick with iptables

thanks,

petre


> The usual way to force a host to use a proxy server for (say) http traffic
> is
>
>          (A) in the site's router/firewall, DENY all traffic going from
> workstations to external addresses at port 80 (and maybe 443, if you want
> to restrict https too); ALLOW traffic only from the machine in B.
>
>          (B) on some suitable-secure internal server, run a proxy like
> Squid or Junkbuster or whatever (I think even Apache itself can be
> configured to operate as a proxy) to forward the traffic.
>
>          (C) Have each user configure his or her bowser to use that proxy
> server.
>
> What I **think** you are trying is a bit different, something I've never
> seen done but that, in principle, whould work. It goes something like this:
>
>          (A) is the same as above, since if you don't restrict things at
> the router, users will have the opportunity to bypass restrictions (unless
> no user has *any* way to get root access to his or her workstation, hard to
> manage on Linux systems that the user has physical access to).
>
>          (B) On each individual workstation (or perhaps on the router,
> instead of step A), use the kernel's routing code to redirect all port-80
> (and 443?) traffic to an internal server that runs some sort of proxy.
>
> If you want to do that, then iptables should work. The details depend on
> whether you are talking about running Linux and iptables on the
> workstations or the firewall/router. For example, on the firewall/router,
> you would do it with 2 rules:
>
>          (1) in the default table's FORWARD chain: For any traffic from the
> LAN to port 80, ACCEPT it
>
>          (2) in the nat table's PREROUTING chain: For any traffic from any
> LAN address other than the proxy server to an external port 80 destination,
> DNAT it to the proxy server address.
>
> You may need to modify other existing rules as well, depending on details
> of your setup that can vary too much for me to cover even all the likely
> cases. (For example, rulesets often block routing LAN traffic back to the
> LAN, and rule 2 above runs afoul of that.)
>
> All this is a bit vague, I admit, but your requirements ae a bit vague too.
> If you try again, describing the setup and your goal more precisely, as
> well as telling us what you tried (I do'nt see how even to *try* doing this
> with SNAT, for example) and what went wrong, then maybe I or someone else
> can give you more exact help.
>
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to [EMAIL PROTECTED]
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs

-- 
 1:34AM  up 15:19, 1 user, load averages: 1.13, 1.26, 1.31

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Reply via email to