configure firewall & NAT & cache with each other

All of lore.kernel.org
 help / color / mirror / Atom feed

* configure firewall & NAT & cache with each other
@ 2005-01-30  4:15 Alireza Yazdani
  2005-01-30 18:03 ` configure firewall & NAT & cache with each other (nfcan: addressed to exclusive sender for this address) Jim Laurino
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Alireza Yazdani @ 2005-01-30  4:15 UTC (permalink / raw)
  To: netfilter


Hello all,

I have 2 box for cache, bandwidth manager, firewall, NAT .

one box is cache server(squid) only. and another box is bandwidth manager, firewall, NAT server.

I haven't any rule on my squid box. the default gateway of my users is my firewall box. my firewall box has 2 ethernet(user side and internet side).

ip of firewall box is :

iptables_box_ILAN=172.16.5.5 (user side)(eth0)

iptables_box_WLAN=212.213.38.100 (internet side)(eth1)

ip of cache box is :

squid_box=172.16.5.6

the default gateway of cache box is firewall box

I use of this rule for NAT :

iptables -t nat -A POSTROUTING -s 172.16.5.0/24 -o eth1 -j SNAT --to 212.213.38.100

now I want redirect the request on port 80 to cache box :

local_network=172.16.5.0/24

iptables_box_ILAN=172.16.5.5

iptables_box_WLAN=212.213.38.100

iptables -t nat -A PREROUTING -i eth0 -s ! $squid_box -p tcp --dport 80 -j DNAT --to $squid_box:3128

iptables -t nat -A POSTROUTING -s $local_network -d $squid_box -o eth0 -j SNAT --to $iptables_box_ILAN

iptables -A FORWARD -s $local_network -d $squid_box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

when I don't use of NAT it is correct. and when I set all on one ethernet it is correct.

but when I have two ethernet and I NAT on firewall box it's not work correct.

Please help me.

Thanks.

 



		
---------------------------------
Do you Yahoo!?
 Yahoo! Search presents - Jib Jab's 'Second Term'

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: configure firewall & NAT & cache with each other (nfcan: addressed to exclusive sender for this address)
  2005-01-30  4:15 configure firewall & NAT & cache with each other Alireza Yazdani
@ 2005-01-30 18:03 ` Jim Laurino
  2005-01-31  1:24 ` Jim Laurino
  2005-01-31 15:54 ` configure firewall & NAT & cache with each other Jason Opperisano
  2 siblings, 0 replies; 4+ messages in thread
From: Jim Laurino @ 2005-01-30 18:03 UTC (permalink / raw)
  To: netfilter

On 2005.01.29 23:15, Alireza Yazdani - yazdani1193@yahoo.com wrote:
> 
> Hello all,
> 
> I have 2 box for cache, bandwidth manager, firewall, NAT .
> 
> one box is cache server(squid) only. and another box is bandwidth manager,
> firewall, NAT server.
> 
> I haven't any rule on my squid box. the default gateway of my users is my
> firewall box. my firewall box has 2 ethernet(user side and internet side).
> 
> ip of firewall box is :
> 
> iptables_box_ILAN=172.16.5.5 (user side)(eth0)
> 
> iptables_box_WLAN=212.213.38.100 (internet side)(eth1)
> 
> ip of cache box is :
> 
> squid_box=172.16.5.6
> 
> the default gateway of cache box is firewall box
> 
> I use of this rule for NAT :
> 
> iptables -t nat -A POSTROUTING -s 172.16.5.0/24 -o eth1 -j SNAT --to
> 212.213.38.100
> 
> now I want redirect the request on port 80 to cache box :
> 
> local_network=172.16.5.0/24
> 
> iptables_box_ILAN=172.16.5.5
> 
> iptables_box_WLAN=212.213.38.100
> 
> iptables -t nat -A PREROUTING -i eth0 -s ! $squid_box -p tcp --dport 80 -j
> DNAT --to $squid_box:3128
> 
> iptables -t nat -A POSTROUTING -s $local_network -d $squid_box -o eth0 -j
> SNAT --to $iptables_box_ILAN

I think you do not need to do SNAT here for the local hosts.
The DNAT rule, above, should be enough.
This is not a rule to SNAT the squid box to the internet,
which you probably do want to do.

Recall that you do not say exactly what is not working,
so I can not be sure how to diagnose the problem.

One advice I can give is that the most powerful tool
for firewall trouble-shooting is
the built-in rule-match counters.

To review the counts, use something like:

	iptables -L -nvx >> file-for-review
or
	iptables -t nat -L -nvx >> file-for-review

The counts show you which rules are matching,
and allow you to trace the source of the problem.

> 
> iptables -A FORWARD -s $local_network -d $squid_box -i eth0 -o eth0 -p tcp
> --dport 3128 -j ACCEPT
> 
> when I don't use of NAT it is correct. and when I set all on one ethernet it
> is correct.
> 
> but when I have two ethernet and I NAT on firewall box it's not work  
> correct.
> 
> Please help me.
> 
> Thanks.

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: configure firewall & NAT & cache with each other (nfcan: addressed to exclusive sender for this address)
  2005-01-30  4:15 configure firewall & NAT & cache with each other Alireza Yazdani
  2005-01-30 18:03 ` configure firewall & NAT & cache with each other (nfcan: addressed to exclusive sender for this address) Jim Laurino
@ 2005-01-31  1:24 ` Jim Laurino
  2005-01-31 15:54 ` configure firewall & NAT & cache with each other Jason Opperisano
  2 siblings, 0 replies; 4+ messages in thread
From: Jim Laurino @ 2005-01-31  1:24 UTC (permalink / raw)
  To: netfilter

On 2005.01.29 23:15, Alireza Yazdani - yazdani1193@yahoo.com wrote:
> 
> Hello all,
> 
> I have 2 box for cache, bandwidth manager, firewall, NAT .
> 
> one box is cache server(squid) only. and another box is bandwidth manager,
> firewall, NAT server.
> 
> I haven't any rule on my squid box. the default gateway of my users is my
> firewall box. my firewall box has 2 ethernet(user side and internet side).
> 
> ip of firewall box is :
> 
> iptables_box_ILAN=172.16.5.5 (user side)(eth0)
> 
> iptables_box_WLAN=212.213.38.100 (internet side)(eth1)
> 
> ip of cache box is :
> 
> squid_box=172.16.5.6
> 
> the default gateway of cache box is firewall box
> 
> I use of this rule for NAT :
> 
> iptables -t nat -A POSTROUTING -s 172.16.5.0/24 -o eth1 -j SNAT --to
> 212.213.38.100
> 
> now I want redirect the request on port 80 to cache box :
> 
> local_network=172.16.5.0/24
> 
> iptables_box_ILAN=172.16.5.5
> 
> iptables_box_WLAN=212.213.38.100
> 
> iptables -t nat -A PREROUTING -i eth0 -s ! $squid_box -p tcp --dport 80 -j
> DNAT --to $squid_box:3128
>

On reflection, the NAT source and destination syntax
is not quite right (you do not use --to) instead:

iptables -t nat -A PREROUTING -i eth0 -s ! $squid_box -p tcp --dport 80 -j
DNAT --to-destination $squid_box:3128


> iptables -t nat -A POSTROUTING -s $local_network -d $squid_box -o eth0 -j
> SNAT --to $iptables_box_ILAN
>

iptables -t nat -A POSTROUTING -s $local_network -d $squid_box -o eth0 -j
SNAT --to-source $iptables_box_ILAN

A SNAT rule like this allows clients on the local net to address a server
on the local net by the external ip address. The packets appear to come
from the firewall, therefore the server replies there. I do not see why
this is needed for a proxy. I think the proxy does need SNAT for itself
to reach the internet. Something like this, which you may already have:

iptables -t nat -A POSTROUTING -s $squid_box -o eth1
-j SNAT --to-source $iptables_box_WLAN


> iptables -A FORWARD -s $local_network -d $squid_box -i eth0 -o eth0 -p tcp
> --dport 3128 -j ACCEPT
> 
> when I don't use of NAT it is correct. and when I set all on one ethernet it
> is correct.
> 
> but when I have two ethernet and I NAT on firewall box it's not work  
> correct.
>

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: configure firewall & NAT & cache with each other
  2005-01-30  4:15 configure firewall & NAT & cache with each other Alireza Yazdani
  2005-01-30 18:03 ` configure firewall & NAT & cache with each other (nfcan: addressed to exclusive sender for this address) Jim Laurino
  2005-01-31  1:24 ` Jim Laurino
@ 2005-01-31 15:54 ` Jason Opperisano
  2 siblings, 0 replies; 4+ messages in thread
From: Jason Opperisano @ 2005-01-31 15:54 UTC (permalink / raw)
  To: netfilter

On Sat, Jan 29, 2005 at 08:15:39PM -0800, Alireza Yazdani wrote:
> 
> Hello all,
> 
> I have 2 box for cache, bandwidth manager, firewall, NAT .
> 
> one box is cache server(squid) only. and another box is bandwidth manager, firewall, NAT server.
> 
> I haven't any rule on my squid box. the default gateway of my users is my firewall box. my firewall box has 2 ethernet(user side and internet side).
> 
> ip of firewall box is :
> 
> iptables_box_ILAN=172.16.5.5 (user side)(eth0)
> 
> iptables_box_WLAN=212.213.38.100 (internet side)(eth1)
> 
> ip of cache box is :
> 
> squid_box=172.16.5.6
> 
> the default gateway of cache box is firewall box
> 
> I use of this rule for NAT :
> 
> iptables -t nat -A POSTROUTING -s 172.16.5.0/24 -o eth1 -j SNAT --to 212.213.38.100
> 
> now I want redirect the request on port 80 to cache box :
> 
> local_network=172.16.5.0/24
> 
> iptables_box_ILAN=172.16.5.5
> 
> iptables_box_WLAN=212.213.38.100

<-- snip -->

http://www.squid-cache.org/WCCP-support/Linux/

-j

--
"Well, I'm not calling you a liar, but... I can't think of a way to
 finish that sentence."
        --The Simpsons


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2005-01-31 15:54 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-01-30  4:15 configure firewall & NAT & cache with each other Alireza Yazdani
2005-01-30 18:03 ` configure firewall & NAT & cache with each other (nfcan: addressed to exclusive sender for this address) Jim Laurino
2005-01-31  1:24 ` Jim Laurino
2005-01-31 15:54 ` configure firewall & NAT & cache with each other Jason Opperisano

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.