Hello all,
I'm running a squid at port 3128 as a transparent proxy.
There are requests coming directly to 3128 port and those coming to 80 port and then redirected to 3128 by following rule:
-t nat -A PREROUTING -i eth0 -p tcp -m tcp \ --dport 80 -j REDIRECT --to-ports 3128
What I want is block direct requests to 3128, allowing redirected access (transparent proxy) only. How do I do it?
If I just set up a rule in filter chain like:
-t filter -A INPUT -i eth0 -p tcp -m tcp \\ --dport 3128 -j DROP
Those requests redirected from port 80 to 3128 are also blocked by this rule. It seems that the redirected packets come in to this chain once again with the new port number.
This is because PREROUTING chain is done before INPUT chain, so dst port of packets was already modified to 3128. You need to drop packets in PREROUTING chain, before REDIRECT rule:
-t nat -A PREROUTING ..... --dport 3128 -j DROP -t nat -A PREROUTING ..... --dport 80 -j REDIRECT ....
BTW, question for smarter than me, if there are rules in both nat and mangle PREROUTING chains, which are traversed first? If mangle is done before nat, than one solution could also be:
-t mangle -A PREROUTING ..... --dport 3128 -j MARK --set-mark 1 -t nat -A PREROUTING ..... --dport 80 -j REDIRECT ..... -t filter -A INPUT .... -m mark --mark 1 -j DROP
Suboptimal (more work), but should work if for whatever reason somebody wants to keep all filtering to filter table (if mangle table is done before nat table, of course).
It would be ideal (and most optimal) if the match was possible in filter table based on original value of dst port. Kind of vaugly remember reading about such an extension, but I might be wrong (it might not exist).
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
