tor 2006-12-14 klockan 18:52 -0200 skrev Bernardo Vieira:
> direct access to the domain .caixa.gov.br (200.201.160/20). All requests
> will go on port 80, tcp on the remote end but the protocol isn't http.
> To achieve this I tried adding the following rules to iptables:
>
> - -A FORWARD -s 192.168.1.0/255.255.255.0 -d 200.201.160.0/255.255.240.0\
> - -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
Almost correct. The only thing is that it needs to be in the nat table,
before the PREROUTING REDIRECT rule, not filter FORWARD.
The packet flow in netfilter looks something like the following graph
(best viewed with a monospace fontface such as courier):
[network] -> PREROUTING -> [routing] -> FORWARD -> POSTROUTING -> [network]
| ^
v |
INPUT --> [tcp/ip] --> OUTPUT
^
|
v
[squid]
Regards
Henrik
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel
