Re: Differentiating direct, and redirected access? - Ложечник Александр

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Ложечник Александр" <A.Logechnik@itak.ua>
To: netfilter@lists.netfilter.org
Subject: Re: Differentiating direct, and redirected access?
Date: Mon, 18 Oct 2004 17:34:40 +0000	[thread overview]
Message-ID: <4173FEB0.9070605@itak.ua> (raw)
In-Reply-To: <D5C9032B2B09C64EA2409D6214E91AC9C05820@asimail2.alphanumeric.com>


>>Hello all,
>>
>>I'm running a squid at port 3128 as a transparent proxy.
>>
>>There are requests coming directly to 3128 port and
>>those coming to 80 port and then redirected to 3128 by
>>following rule:
>>
>>-t nat -A PREROUTING -i eth0 -p tcp -m tcp \
>>   --dport 80 -j REDIRECT --to-ports 3128
>>
>>What I want is block direct requests to 3128, allowing
>>redirected access (transparent proxy) only. How do I do it?
>>
>>If I just set up a rule in filter chain like:
>>
>>-t filter -A INPUT -i eth0 -p tcp -m tcp \\
>>   --dport 3128 -j DROP
>>
>>Those requests redirected from port 80 to 3128 are also
>>blocked by this rule. It seems that the redirected packets
>>come in to this chain once again with the new port number.
>>
>>How can I differentiate these two different kinds of
>>request? Any clue will be greatly appreciated.
>>
>>Jinsuk Kim
>>    
>>
-t nat -A PREROUTING -i eth0 -d ! $INT_ROUTER_IP -p tcp --dport 80 -j 
REDIRECT --to-ports 3128
-A INPUT -i eth0 -d $INT_ROUTER_IP -p tcp --dport 3128 -J REJECT

TCP SYN have external ip dst_ip.

-- 
wbr, Logechnik Alexandr

In God we trust, but something 
else must have X.509 certificate

next prev parent reply	other threads:[~2004-10-18 17:34 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-10-18 14:24 Differentiating direct, and redirected access? Jason Opperisano
2004-10-18 17:34 ` Ложечник Александр [this message]
  -- strict thread matches above, loose matches on Subject: below --
2004-10-19  2:15 J Kim
2004-10-18 14:40 Jason Opperisano
2004-10-18 18:18 ` Ложечник Александр
2004-10-18  2:19 J Kim
2004-10-18 15:50 ` Aleksandar Milivojevic
2004-10-18 18:14 ` Jose Maria Lopez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4173FEB0.9070605@itak.ua \
    --to=a.logechnik@itak.ua \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.