> -----Original Message----- > From: Camilo Echeverry [mailto:phantom@xxxxxxxxxxxxxxx] > Sent: Saturday, March 15, 2003 6:46 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Restrictions + Transparent Proxy > > Hi. > I have an Invalid network which access internet through a linux server with > iptables, I've tried many times to do this but isnt working: <SNIP> > But when I activate the transparent Proxy, all the people inside the internal > network can access internet (via web) > > What order of ideas must I use ? > I'm using the correct iptables rules ..? > > something like: > > #Grant complete acces to this IP > /sbin/iptables -A FORWARD --in-interface eth0 -s \ > 192.168.3.252/255.255.255.255 -d 0.0.0.0/0.0.0.0 --out-interface eth0 -j \ > ACCEPT > > #permit access to all the internal network to only one subnet > sbin/iptables -A FORWARD --in-interface eth0 -s \192.168.3.0/255.255.255.0 \ > -d XX.YY.ZZ.0/255.255.255.0 --out-interface eth0 -j ACCEPT > > #Block the rest > /sbin/iptables -A FORWARD --in-interface eth0 -s 192.168.3.0/255.255.255.0 \ > -d 0.0.0.0/0.0.0.0 -j REJECT > > #Then Activate Transparent Proxy > /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT \ > --to-port 8080 > > #Now masquerade packets > /sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j \ > MASQUERADE > try this (my shell is rusty, correct for syntax): # the whole LAN $LAN='192.168.3.0/24' # system(s) that get full internet access $FULL='192.168.3.252' # system(s) that get limited access $PART='192.168.3.0/24' # the networks that limited access systems can access $PARTOK='XX.YY.ZZ.0/24' # where is the iptables program? $IPT='/sbin/iptables' # set the default policy on forward table to drop # now we need to explicitly allow packets to be forwarded. $IPT -P FORWARD DROP # add a NAT rule to give full access to one system $IPT -t nat -A PREROUTING -i eth0 -s $FULL -j MASQ # I'm a little confused, do you want to give one # remote network access to your whole LAN? # this is *much* harder, and should be avoided anyway. # what do you *REALLY* want to accomplish? # do you have a static external(Internet) IP, or do you really use MASQUERADE? # If you have static IP, use snat not MASQ, then you can use dnat # to redirect incoming internet traffic on some ports to LAN systems # that listen on those ports. # give whole LAN access to a single network $IPT -t nat -A PREROUTING -I eth0 -s $PART -d $PARTOK -j MASQ # Redirect all other web traffic from LAN to a Transparent Proxy $IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 # add a rule to forward table to let LAN traffic out. $IPT -A FORWARD -s $LAN -j ACCEPT --Erik Rev. Dr. Erik C Elmshauser D.D. Head of I.T. Pacific Benefits Group NW LLC erike@xxxxxxxxx Phone - 800.259.0455 Fax - 800.662.0082 There are 10 kinds of people in the world, Those that can do binary arithmetic, and those that can't.
