Re: [rlug] NAT si Transparent Proxy

Laurentiu STEFAN Tue, 22 Oct 2013 02:02:19 -0700

Cam asta ar fi solutia?

for s in ${GRUP2}
     do
          iptables -t nat -A PREROUTING -i eth1 -p tcp --match multiport
--dports 80,21 -s ${s} -d
! ${RETEALOCALA} -j DNAT --to 192.168.0.254:8080
  iptables -t nat -A POSTROUTING -o ${INTERNET} -s ${s} --match multiport
--dports 25,53,110,443 -j SNAT
--to-source ${NAT}
     done



2013/10/22 manuel "lonely wolf" wolfshant <wo...@prolinux.ro>

> On 10/21/2013 11:43 PM, Laurentiu STEFAN wrote:
> > Am 2 grupuri de IP-uri care unu teoretic ar trebui sa iasa liber si al
> > II-lea sa treaca prin proxy-
> >
> > Am:
> >
> >      for s in ${GRUP2}
> >      do
> >           iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -s
> ${s} -d
> > ! ${RETEALOCALA} -j DNAT --to 192.168.0.254:8080
> >           iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -s
> ${s} -d
> > ! ${RETEALOCALA} -j DNAT --to 192.168.0.254:8080
> >      done
> >
> >      for s in ${GRUP1}
> >      do
> >          iptables -t nat -A POSTROUTING -o ${INTERNET} -s ${s} -j SNAT
> > --to-source ${NAT}
> >      done
> >
> > Problema e ca cei din grupul 2 sa aiba acces si la restul serviciilor
> > externe (dns, pop, etc)
> > Am incercat sa pun iptables -t nat -A POSTROUTING -o ${INTERNET} -s ${s}
> -j
> > SNAT --to-source ${NAT} si in grupul2 dar nu mai trece prin proxy.
> adauga orice alte porturi vrei sa lasi la liber. sau pune intii o regula
>   cu "! --dport  NNN" -j ACCEPT si apoi abia una de redirectionare
> hint aditional: nu ai nevoie de reguli separate per port, -m multiport e
> exact destinat acestor cazuri
>
>
>
>
> >
> > In alta ordine de idei,
> > Daca in grupul 2 adaug:
> > iptables -A FORWARD -p tcp -s  ${s} --match multiport --dports 80,443,21
> -m
> > string --string '.exe' --algo bm -j DROP
> > le va interzice descarcarea de fisiere .exe ?
> forteaza trecerea prin un proxy ( squid.. ) si blocheaza de acolo cu
> ACL-uri. E mult mai fiabil decit string match in iptables.
>
>
> >
> > Multam anticipat
> >
>
>
> --
>       Manuel Wolfshant       linux registered user #131416
>          IT manager    NoBug Consulting SRL
>    A: Yes.
>    >Q: Are you sure?
>    >>A: Because it reverses the logical flow of conversation.
>    >>>Q: Why is top posting frowned upon?
>
> _______________________________________________
> RLUG mailing list
> RLUG@lists.lug.ro
> http://lists.lug.ro/mailman/listinfo/rlug
>
_______________________________________________
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug

Re: [rlug] NAT si Transparent Proxy

Raspunde prin e-mail lui