Thanks Edvin, We have two Internet service providers. The scenario is 192.168.0.1 is on my ISP 1 and now I have installed second proxy server on other comp which is 192.168.0.3 on the ISP 2 connection. We have assigned the Ip's to our internal machines from range 192.168.0.4 to 192.168.0.250. We have some bandwidth upload/download limitations on the ISP 1. I want to use 192.168.0.3 proxy severs for the some IP's I have taken example as 192.168.0.10 IP. The browser settings of 192.168.0.10 comp is 192.168.0.1:3128 I want to setup the firewall on the 192.168.0.1 so the request coming from 192.168.0.10 for the 192.168.0.1:3128 will forwarded to 192.168.0.3:3128 so he/she will use invisibly the proxy 192.168.0.3:3128 could you please help me to solve the problem Nilesh. --- Seferovic Edvin <edvin.seferovic@xxxxxxx> wrote: > Hi, > > first of all an IP address should have /32 mask - or > simply NO mask ! > > INTIP="192.168.0.1/24" <<< but I haven't seen the > use of this variable in > your script > > You are prerouting http traffic to your proxy ( > squid I suppose ) which is > running on the same machine ( 192.168.0.1 )! So you > need > > --to-port 3128 without the IP address > > $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp > --dport 80 -j REDIRECT > --to-ports 192.168.0.1:3128 <<< > > I do NOT see the aim of this rule.. every packet > from 192.168.0.10 to > 192.168.0.1 ( machine with this firewall script ) > which comes on the same > ethernet card ? There is a forward chain for the > packets that are being > routed. Every packet which has destination of a > local eth card hits the > input chain. So your following rule should be > changed > > $IPTABLES -A FORWARD -s 192.168.0.10 -i eth1 -d > 192.168.0.1 -o eth1 -p tcp > --sport 1024:65535 --dport 3128 -j ACCEPT > > .. to something what suits your needs ! > > Regards, > > Edvin > > -----Original Message----- > From: Nilesh [mailto:niluforalways@xxxxxxxxx] > Sent: Montag, 13. März 2006 12:39 > To: Nilesh; edvin.seferovic@xxxxxxx; > netfilter@xxxxxxxxxxxxxxxxxxx > Subject: RE: port forwarding form IP range > > Sorry earlier mail was without attchment. > > --- Nilesh <niluforalways@xxxxxxxxx> wrote: > > > no there is only Forward default chain. > > I am confused , I have attached herewith my > > rc.firewall could you please look into.If I am > > going > > wrong way. > > > > Thanks > > Nilesh, > > > > --- Seferovic Edvin <edvin.seferovic@xxxxxxx> > wrote: > > > > > -i eth1 -o eth1 ??? How is this suppose to work? > > Is > > > there any forward chain > > > on one interface? > > > > > > iptables -A FORWARD -s 192.168.0.10 -i eth1 -d > > > 192.168.0.1 -o eth1 -p tcp --sport 1024:65535 > > > --dport > > > 3128 -j ACCEPT. > > > > > > Regards, > > > > > > Edvin > > > > > > --- Rob Sterenborg <rob@xxxxxxxxxxxxxxx> wrote: > > > > > > > On Mon, March 13, 2006 09:53, Nilesh wrote: > > > > > Thanks Leandro, > > > > > > > > > > I have tried with this rules but > unfortunately > > > not > > > > > working. > > > > > Squid server running on the 192.168.0.3 and > > its > > > > > working fine. I have not installed any > > firewall > > > > on > > > > > the 192.168.0.3. > > > > > In my Internet browser settings If I chnage > > the > > > > > settings from 192.168.0.1:3128 to > > > 192.168.0.3:3128 > > > > I > > > > > can surf the web. > > > > > but If I dont change to 192.168.0.3:3128 > proxy > > > > > settings I get the connection timout error. > > > > > > > > > > I think DNAT is not working > > > > > > > > Probably you tell Netfilter to do DNAT, but > are > > > not > > > > allowing it. > > > > Do you have a FORWARD rule that allows this > > > traffic > > > > or is your policy ACCEPT ? > > > > > > > > Please don't top-post. > > > > > > > > > > > > Gr, > > > > Rob > > > > > > > > > > > > > --- Leandro Silva <lansoweb@xxxxxxxxx> > wrote: > > > > > > > > > >> Hello ! > > > > >> > > > > >> You can use something like that: > > > > >> > > > > >> iptables -I PREROUTING -t nat -s > 192.168.0.10 > > > -p > > > > tcp > > > > >> --dport 80 -j > > > > >> DNAT --to 192.168.0.3:3128 > > > > >> iptables -I PREROUTING -t nat -s > 192.168.0.10 > > > -p > > > > tcp > > > > >> --dport 3128 -j > > > > >> DNAT --to 192.168.0.3:3128 > > > > >> > > > > >> If you have iprange compiled for iptables > you > > > can > > > > >> use: > > > > >> > > > > >> iptables -I PREROUTING -t nat -m iprange > > > > --src-range > > > > >> 192.168.0.10-192.168.0.20 -p tcp --dport 80 > > -j > > > > DNAT > > > > >> --to > > > > >> 192.168.0.3:3128 > > > > >> iptables -I PREROUTING -t nat -m iprange > > > > --src-range > > > > >> 192.168.0.10-192.168.0.20 -p tcp --dport > 3128 > > > -j > > > > >> DNAT --to > > > > >> 192.168.0.3:3128 > > > > >> > > > > >> I hope this can help, > > > > >> Leandro > > > > >> > > > > >> 2006/3/11, Nilesh > <niluforalways@xxxxxxxxx>: > > > > >> > Dear all, > > > > >> > > > > > >> > I have two squid proxy servers and two > ISP > > > > >> > > > > > >> > 1) 192.168.0.1 port 3128 > > > > >> > 2) 192.168.0.3 port 3128 > > > > >> > > > > > >> > We have around 70 comps assigned IP's > > between > > > > >> > 192.168.0.4 to 192.168.0.250 > > > > >> > The default proxy we are using is > > 192.168.0.1 > > > > >> which is > > > > >> > on the ISP 1. > > > > >> > Now I have configured 192.168.0.3 squid > > proxy > > > > >> server > > > > >> > on ISP 2 line. > > > > >> > Both ISP 1 and ISP 2 are landing > > (connected) > > > on > > > > >> the > > > > >> > same Switch. > > > > >> > > > > > >> > Now I want setup the request coming from > IP > > > > range > > > > >> > (192.168.0.10 to 192.168.0.20) for the > > > > >> > 192.168.0.1:3128 > > > > >> > Will be forward to 192.168.0.3:3128 > > > > >> > So the users from this IP range will > access > > > > only > > > > >> > 192.168.0.3 proxy server. > > > > >> > > === message truncated === __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
