On Saturday 11 January 2003 12:46 am, Mohammad Shakir wrote: > Dear Friends, > > I have Installed Red Hat Linux 7.3 with hostname > SERVER1 ipaddress 192.168.0.1 and also configure > squid, DHCP, DNS services all are running well. I have > also 30 PCs of windows 98 as a client with auto ip and > set their gateway,dns,dhcpserver and so on from DHCP > 192.168.0.1. > Now I want that any request for browsing come from > client automatically forward to my squid which is > running on 3128 port and all others request go on > direct ppp0 for this I configured one script which is > given below. > > Is this script correct or not ? > > echo 1 > /proc/sys/net/ipv4/ip_forward > /sbin/iptables --flush > /sbin/iptables --table nat --flush > /sbin/iptables --delete-chain > /sbin/iptables --table nat --delete-chain > > /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp > --dport 80 -j REDIRECT --to-port 3128 > /sbin/iptables --table nat --append POSTROUTING -s > 192.168.0.1/24 --out-interface ppp0 -j MASQUERADE > /sbin/iptables --append FORWARD --in-interface eth0 -j > ACCEPT You also need a rule (or rules) to allow reply traffic back through the FORWARD chain. The following would probably suffice: /sbin/iptables -A FORWARD -o ETH0 -m state \ --state ESTABLISHED,RELATED -j ACCEPT In addition, to use the MASQUERADE target you also need to enable tracking of the interface's dynamic IP with: echo 1 > /proc/sys/net/ipv4/ip_dynaddr If the IP is static, just use "-J SNAT --to " and the static IP. I would _STRONGLY_ suggest that you set default DROP policy for all three filter chains, (INPUT, OUTPUT, and FORWARD with either "-t filter" or no table specified) and explicit ACCEPT rules for INPUT and OUTPUT that the server requires. (Don't forget that this includes dport3128 in and dport80 out for squid to work, as well as DHCP and DNS traffic) This will also require ACCEPT rules for FORWARD traffic, but the one you have listed plus the one I noted should handle any traffic FROM the LAN and any replies TO the LAN. Finally, to be safe, you should only enable forwarding (your first line above) AFTER you have set DROP policy, preferably after all rules are in place. If you really trust your LAN, you can fly with the FORWARD rule you have, but you can also tighten things up quite a bit in the FORWARD chain by ACCEPTing only specific traffic. If you do this, you can add another EST/REL rule for traffic from the LAN, or just remove the interface match from the one suggested above. It's not vital to have DROP policy for OUTPUT, but it IS pretty much vital to DROP anything you don't explicitly need in INPUT, and probably FORWARD. As this ruleset stands, anyone on the internet can connect to any port on this server, which is a really bad idea. > This is other setup. > > I have setup two servers hostname server1 ip address > 192.168.0.1 and hostname server2 ipaddress 192.168.0.2 > both servers are connected with dialup sepratly and > also configure squid, DHCP, DNS services. I have also > 100 PCs of windows 98 as a client with auto ip and set > their gateway,dns,dhcpserver and so on from DHCP > 192.168.0.1. > > Now I want that any request for browsing come from > client automatically forward to my squid which is > running on 3128 port on server 192.168.0.2 and all > others request go on direct ppp0 of 192.168.0.1. > Please help my what script I make for this. Essentially the same setup on server1 as your previous scenario, all my comments apply here as well. Clients should be configured with server1 as their gateway, and instead of "-j REDIRECT --to-port 3128" you use "-j DNAT --to 192.168.0.2:3128". Make sure that these packets are allowed through the FORWARD chain now. Server2 will need to accept connections in INPUT from server1, but should probably REJECT others from the LAN. It should have no need to forward at all, and anything but replies from the internet should just be DROPped. It will also need a MASQUERADE rule for outbound traffic to the internet. For redundancy, you could set up server2 with the DNS and DHCP configuration from server1, but not enable these services. (actually you could even let them run, if the firewall doesn't allow INPUT or OUTPUT for them) Also keep a copy of server1's firewall script (from first scenario above, or second scenario modified to use REDIRECT instead of DNAT) on server2. This way if server1 goes down, or it's connection fails, server2 can take over with just an IP change, start DNS & DHCP, and run the alternate firewall script. The same ability would work in reverse, but easier: if server2 goes down you could delete the DNAT rule and insert a FORWARD rule to allow traffic through unhindered (and unproxied), or set up squid on server1 and replace the DNAT with REDIRECT. > I hope you will help me in this regard. > > Thanks > > MOHAMMAD SHAKIR j
