On Wed, 2004-03-17 at 08:49, al clethero wrote: > Folks > > I'm having some issues with the nat table and redirection. I'm trying to > redirect traffic destined for port 80 to port > 8080, so that there is no need to specify a proxy server in the browser > settings. I'm fairly new to netfilter, so it may be I'm missing > something obvious. If so, I apologise beforehand! > > I set up a contrived scenario on my isolated test system as follows (so > the browser, squid etc are all running on the same box): > > 1/ I have nothing listening on port 80 > 2/ Squid is running, listening on port 8080 > 3/ Proxy options are turned off in the browser > 4/ iptables has the following statement in the nat table (and this is > the only statement in my iptables while I test this out): > > iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT > --to-ports 8080 > > My understanding of this rule is that any tcp packets destined for port > 80 on any interface will be redirected to port 8080. > > 5/ I try to connect to www.google.com from the browser and the following > should happen: > > the request goes out to port 80 > the rule in the nat table picks up the packet and forwards it to port > 8080, where squid connects to google, retrieves the page and supplies it > to the browser. > > However, this doesn't seem to happen, connections go straight through to > google from port 80 without being redirected. I have tested this by > shutting down squid and having no proxy servers configured in the > browser, yet I can still connect, whereas I would expect an error. > > If I check the iptables status before and after doing this I get > > Before > > iptables -t nat -v -L > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > > 0 0 REDIRECT tcp -- any any anywhere > anywhere > tcp dpt:http redir ports 8080 > > Chain POSTROUTING (policy ACCEPT 10 packets, 600 bytes) > pkts bytes target prot opt in out source > destination > > > Chain OUTPUT (policy ACCEPT 10 packets, 600 bytes) > pkts bytes target prot opt in out source > destination > > After > > Chain PREROUTING (policy ACCEPT 43 packets, 3496 bytes) > pkts bytes target prot opt in out source > destination > > 0 0 REDIRECT tcp -- any any anywhere > anywhere > tcp dpt:http redir ports 8080 > > Chain POSTROUTING (policy ACCEPT 209 packets, 13148 bytes) > pkts bytes target prot opt in out source > destination > > > Chain OUTPUT (policy ACCEPT 209 packets, 13148 bytes) > pkts bytes target prot opt in out source > destination > > > Since the above seems to indicate packets going through the nat > prerouting chain but not being acted upon I suspect I am missing > something fairly obvious! <snip> I must confess to not fully digesting your message as I am up against a deadline. However, three things come to mind. 1) are you really sure that Squid has stopped? It frequently runs from a daemon which continually restarts it even after doing a squid -k shutdown 2) do you really want to redirect all traffic destined for port 80 or just the traffic coming from the Internal network? 3) I believe you must ensure that traffic can flow to interface lo on the INPUT chain as well as doing the redirect . . . but it has been a long time since I configured Squid so I may be wrong -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@xxxxxxxxxxxxx --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net
