Re: [plug] netfilter deployment (ipchains - netfilter)

Gino LV . Ledesma Mon, 18 Jun 2001 09:20:16 -0700
> my linux server is connected via PPP0 and im using internal IP's of
> 192.168.0.0/24. my server also serve http request (mydomain.com). now, 
> how
> do i use iptables and squid for transparent proxy (force clients to use
> proxy) ?

First, you have to configure squid to act as a transparent proxy. 
iptables come in only as a redirector which throws outbound port 80 
connections to your transparent proxy.

Also, remember that your kernel must have support for transparent 
proxying. If not, recompile your kernel with transparent proxying 
support. :)

I'm assuming here that you have a server which has a LAN connected to it 
via its eth0 interface and outbound-Internet traffic passes through the 
ppp0 interface.

> i have tried these several rules: problem with these rules is that my 
> own
> domain could not access(internally and externally).

First, add:
iptables -i lo -j ACCEPT (#quite useful for most cases)

> 1. iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp 
> --dport
>    80 -j DNAT --to 192.168.0.1:8888


> 2. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>    --to-port 8888

Same effect as #1. Use this rule instead.

> 3. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This one masquerades all outgoing connections from your eth0 interface 
onto, I assume, the Internet or a larger network. But I don't get the 
sense of this rule. Your outbound  Internet traffic, I assume, was 
headeded out _through_ ppp0, and not eth0 because eth0 connects to your 
LAN.

Try changing it to
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

or, if you have a static IP (replace $STATIC_IP with actual value):
# iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to $STATIC_IP

> what/which would be the right rule/s for my setup ?

The first/second will work. See if packets are actually getting to your 
squid proxy by checking the logs (e.g., usr/local/squid/logs/access.log).

HTH

--------------------------------------
Gino LV. Ledesma
Ateneo Cervini-Eliazo Networks (ACENT)
email  :  [EMAIL PROTECTED]
web    :  http://cersa.admu.edu.ph/
phone  :  (63)(2) 426-6001 ext. 5925/5904
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]

To subscribe to the Linux Newbies' List: send "subscribe" in the body to 
[EMAIL PROTECTED]
Re: [plug] netfilter deployment (ipchains - netfilter)

Reply via email to
