Search squid archive

Re: client ip's

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jorge Bastos wrote:
The rule I use to redirect traffic from 80 to 8080 is:
I must remember, this was working before 3.0 stable1 or stable2 (not using
stable2), I just saw this was happening now.

What version did you upgrade from?


iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j DNAT
--to-destination 192.168.1.1:8080


If squid is running on this same box I would recommend the REDIRECT target instead of DNAT. It's less work for the kernel.

The other possible issue is that you have your redirection rule at the start of the NAT tables. The matching rule to allow squid traffic out is near the end.

Even if you keep DNAT, they should be in this order:

# allow squid traffic out okay.
iptables -t nat _A PREROUTING -s 192.168.1.1 -p tcp --dport 80 -j ACCEPT
# redirect all other web traffic into squid.
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080


cisne:~# iptables-save -t nat
# Generated by iptables-save v1.4.0 on Wed Apr  2 17:12:25 2008
*nat
:PREROUTING ACCEPT [35:1650]
:POSTROUTING ACCEPT [10307:1367320]
:OUTPUT ACCEPT [66427:4357431]
-A PREROUTING -d 193.164.158.105/32 -j DROP
-A PREROUTING -i eth1 -p tcp -m tcp --dport 5111 -j DNAT --to-destination
192.168.1.11:5900
-A PREROUTING -i eth1 -p tcp -m tcp --dport 5901 -j DNAT --to-destination
192.168.1.2:5900
-A PREROUTING -i eth1 -p tcp -m tcp --dport 5969 -j DNAT --to-destination
192.168.1.3:5900
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination
192.168.1.204:3389
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.1.1:8080
-A PREROUTING -p gre -j ACCEPT
-A PREROUTING -p icmp -j ACCEPT
-A PREROUTING -p ah -j ACCEPT
-A PREROUTING -p udp -m udp --dport 53 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 500 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 1723 -j ACCEPT
-A PREROUTING -p udp -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 20 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 21 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 23 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 25 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 43 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 79 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 123 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 143 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 443 -j ACCEPT
-A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 444 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 1723 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 1863 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 3306 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 3389 -j ACCEPT
-A PREROUTING -d 80.172.172.34/32 -p tcp -m tcp --dport 5000 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 5190 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 5900 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 5901 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 6667 -j ACCEPT
-A PREROUTING -s 192.168.1.0/24 -d 192.168.1.206/32 -p tcp -m tcp --dport
8888 -j ACCEPT
-A PREROUTING -d 192.168.1.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A PREROUTING -i eth1 -p tcp -m tcp --dport 30106 -j DNAT --to-destination
192.168.1.224:30106
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 62500:63500
--tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A PREROUTING -j DROP
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed Apr  2 17:12:26 2008

-----Original Message-----
From: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx] Sent: quarta-feira, 2 de Abril de 2008 11:42
To: Jorge Bastos
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: RE:  client ip's

WHat do your iptables NAT rules look like?

iptables-save -t nat

ons 2008-04-02 klockan 09:18 +0100 skrev Jorge Bastos:
Transparent proxy

Squid running on: 8080
And I forward 80 => 8080 (squid) => web

My iptables rules are intact, I believe it was from 3.0 stable 1 or 2 that
this started to happen.




-----Original Message-----
From: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx]
Sent: quarta-feira, 2 de Abril de 2008 0:12
To: Jorge Bastos
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: RE:  client ip's

tis 2008-04-01 klockan 12:29 +0100 skrev Jorge Bastos:
No, just squid himself.
As a plain proxy, or playing with NAT?

Regards
Henrik



--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux