On Sat, 2004-06-26 at 17:51, Dimitar Katerinski wrote: > > Hello ken, > > Yes, on single machine it will work with no problems. You should specify > an incoming interface for the above iptables rule though. Do it like this: > > iptables -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j > REDIRECT --to-ports 8181 > > where $LAN_IFACE is the interface connected to your internal network. > I only have a single network card/interface on this box (eth0 , I guess) Does that matter in this proxy context? > And the scheme is as follows: > 1. A client sends request for specific page > 2. The linux box sees its a request for destination port 80 and > redirects it to port 8181 where DG is listening. > 3. DG takes the request, do what it does (content filtering, etc.), and > sends it to Squid. > 4. Squid request the specific page, and gives it back to DG, which again > do what it does. > 5. DG then, if everything is ok, server the request page to the client. > > > About your question: > > ..when squid finally wants to send > > out the actual > > request to the internet, isn't that a port 80 request that the above > > iptables rule will > > redirect back to Dansguardian?? > > No basicly it won't. Unless you dont have same rule in the OUTPUT chain > of the nat table. the PREROUTING chain applies to packets which hit the > box coming from somewhere outside, and not packets which origin from the > machine itself. Dimitar, Your explanation here is great but it throws me a bit since the packet requests coming from the browsers will all be internal requests (ie on the same machine) so is a PREROUTING rule the right choice? In other words I want to apply a routing rule to internal requests (except those from squid). I appreciate your detailed response and I have looked for a "life of a packet" explanation such as you provided but have not found it as yet. In your 5-step explanation, when are the iptables rules applied? Thanks Ken
