* [Q] Some newbie questions.....
@ 2004-04-09 4:31 Donovan J. Edye
2004-04-09 7:26 ` Rob Sterenborg
0 siblings, 1 reply; 2+ messages in thread
From: Donovan J. Edye @ 2004-04-09 4:31 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1114 bytes --]
G'Day,
I have the following setup: CAPS = Device / Machine
- ROUTER: WAN Address: xxxxxxxxx LAN Address: 192.168.40.1
- IPTABLES: 1 LAN Interface 192.168.40.5 (Gateway: 192.168.40.1)
- PROXY: 1 LAN Interface 192.168.40.10 (Gateway: 192.168.40.5)
I have a number of other machines also on the 192.168.40/24 network who all
have their GW set to 192.168.40.5. What I want NETFILTER to do is the
following:
- Have a transparent proxy such that any port 80 connections from
these machines get processed by PROXY on port 3128
- Allow all established connections from these machines to be allowed
out via 192.168.40.1 otherwise disallowed
- IPTABLES to do no NAT as that is already being done by ROUTER
Can anyone help me with some sample rules to get going?
TIA
--Donovan
Web: http://www.edye.wattle.id.au <http://www.edye.wattle.id.au/>
----------------------------------------------------------------------
SetiStats - Get your SETI statistics delivered to your mailbox daily.
http://www.edye.wattle.id.au/p.php?page=/delphi/setistats
----------------------------------------------------------------------
[-- Attachment #2: winmail.dat --]
[-- Type: application/ms-tnef, Size: 5892 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [Q] Some newbie questions.....
2004-04-09 4:31 [Q] Some newbie questions Donovan J. Edye
@ 2004-04-09 7:26 ` Rob Sterenborg
0 siblings, 0 replies; 2+ messages in thread
From: Rob Sterenborg @ 2004-04-09 7:26 UTC (permalink / raw)
To: netfilter
> I have the following setup: CAPS = Device / Machine
>
> - ROUTER: WAN Address: xxxxxxxxx LAN Address: 192.168.40.1
> - IPTABLES: 1 LAN Interface 192.168.40.5 (Gateway: 192.168.40.1)
> - PROXY: 1 LAN Interface 192.168.40.10 (Gateway: 192.168.40.5)
These only have 1 interface each ?
Are you connecting all the machines (clients too) to a hub or switch ?
> I have a number of other machines also on the 192.168.40/24 network who
all
> have their GW set to 192.168.40.5. What I want NETFILTER to do is the
> following:
>
> - Have a transparent proxy such that any port 80 connections from
> these machines get processed by PROXY on port 3128
If iptables is not doing NAT, then what is it for with 1 NIC ?
You could as well set the default gateway of the workstations to
192.168.40.1 and configure the webbrowsers to use the proxy at
192.168.40.10. So you can skip the iptables box.
Anyway, not sure if it will work but you can try this :
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED \
-j ACCEPT
iptables -A FORWARD -s 192.168.40.0/24 -d 192.168.40.10 -p tcp \
--dport 3128 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.40.0/24 -p tcp \
--dport 80 -j DNAT --to-destination 192.168.40.10:3128
echo 1 > /proc/sys/net/ipv4/ip_forward
> - Allow all established connections from these machines to be allowed
> out via 192.168.40.1 otherwise disallowed
> - IPTABLES to do no NAT as that is already being done by ROUTER
Don't use any SNAT/MASQUERADE rules. Then it won't NAT.
Gr,
Rob
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-04-09 7:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-09 4:31 [Q] Some newbie questions Donovan J. Edye
2004-04-09 7:26 ` Rob Sterenborg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.