> Hello all,
>
> I'm running a squid at port 3128 as a transparent proxy.
>
> There are requests coming directly to 3128 port and
> those coming to 80 port and then redirected to 3128 by
> following rule:
>
> -t nat -A PREROUTING -i eth0 -p tcp -m tcp \
> --dport 80 -j REDIRECT --to-ports 3128
>
> What I want is block direct requests to 3128, allowing
> redirected access (transparent proxy) only. How do I do it?
>
> If I just set up a rule in filter chain like:
>
> -t filter -A INPUT -i eth0 -p tcp -m tcp \\
> --dport 3128 -j DROP
>
> Those requests redirected from port 80 to 3128 are also
> blocked by this rule. It seems that the redirected packets
> come in to this chain once again with the new port number.
>
> How can I differentiate these two different kinds of
> request? Any clue will be greatly appreciated.
>
> Jinsuk Kim
mark the packets that will get redirected, and only accept them if they
have the mark:
# mark packets with dst port 80
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 \
-j MARK --set-mark 1
# redirect port 80 to 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
-j REDIRECT --to-ports 3128
# accept packets to 3128 that have the mark
iptables -A INPUT -i eth0 -p tcp --dport 3128 -m mark --mark 1 \
-j ACCEPT
-j
