The most simple way is:
Put here the commands output:
iptables -t filter -L
iptables -t nat -L
iptables -t mangle -L
And this will be the start point!
If you also write about your goals (I remember about squid) It will be
great
06.04.2011 05:40, Diego Xirinachs пишет:
Thanks a lot for your input, to answer your questions and clarify further,
- I had the ACCEPT rule before the REDIRECT one before asking for
help, and didnt work also, will change it back and leave it like that,
so rules order would be:
ACCEPT $FW net tcp www
REDIRECT loc 3128 tcp www -
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
##############################
###################
- Explain when you can/want, I am curious :D
- Regarding the iptables commands, no, im not sure. I just took those
2 commands from a tutorial and ran them to see if they would work.
- Those 2 iptables commands you gave me, Can I run them with shorewall
installed or would the server act weird?
Today I noticed I dont have a masq file, and that IF the EXTERNAL
network isnt connected on eth0 (mine is on eth1) you have to edit this
masq file to reverse the order, at least thats what Shorewall
documentation says (i dont have the URL handy) If that works I will
post results here.
thanks a lot again :D
2011/4/5 Николай Федосов <[email protected]
<mailto:[email protected]>>
06.04.2011 01:43, Diego Xirinachs пишет:
DNS is already accepted on my shorewall rules file, here is the
complete file, I dont know why I didnt post it complete earlier.
REDIRECT loc 3128 tcp www -
ACCEPT $FW net tcp www
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#################################################
Here is your your mistake! First rule eval like the first rule/
You try to REDIRECT packets www from firewall to port 3128, but
you have no www packets in your firewall if (as I am understand)
your policy is DROP
Try in this order:
first rule: ACCEPT $FW net tcp www
second rule: REDIRECT loc 3128 tcp www
-
This example from documentation www.shorewall.net
<http://www.shorewall.net>
As you can see, DNS is already there also. Any other tips?
@nikolay: Really? more complicated than Iptables? I find it easy
to configure access rules here, only problem I have had is this
one. With iptables I tried to get the transparent proxy working
but couldnt (i got the full command and ran it, didnt do
anything). I tried with the following commands
I can explain it but not now
|
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp |--dport| 80
-j DNAT |--to-destination| 192.168.0.1:3128 <http://192.168.0.1:3128>
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j
REDIRECT |--to-ports| 3128|
Are you sure that SQUID requires nat ?????????????
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-ports 3128
iptables -t filter -A FORWARD -i eth0 -p tcp --dport 80 -j DROP
And you should to remember that THE ORDER of rules have the
SIGNIFICANTE sense!
Sorry for my english... now it's time to sleep....
eth0 is my LAN and eth1 is connected to the internet. IP address
is just for the example, my internal network uses a different
range than that one.
I would really like to get this working but I have no idea whats
wrong, this kind of issues im sure Is one of those wtf problems
that can be solved with a simple solution.
Hope it helps and thanks again.
2011/4/5 Николай Федосов <[email protected]
<mailto:[email protected]>>
My proposal is to change the order of your rules...
But the true way is to : apt-get purge shorewall (it is very
complicated, more complicatated than iptables)
05.04.2011 13:29, Diego Xirinachs пишет:
>> My /etc/shorewall/rules are setup with this ACCEPT and
REDIRECT rules:
>>
>> #ACTION SOURCE DEST PROTO DEST PORT(S)
SOURCE ORIGINAL
>> #
PORT(S) DEST
>> REDIRECT loc 3128 tcp www -
>>
>> ACCEPT $FW net tcp www
--
ubuntu-server mailing list
[email protected]
<mailto:[email protected]>
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
--
X1R1
--
X1R1
--
ubuntu-server mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
