Rule syntax

Rule syntax

[Chris Edwards]

Hi,

Need a bit of help with a rule. I've got a redhat box running a 
squid/websense installation. It's dualled interfaced on different network, 
and due to an update websense has done, is only contactable on the 
interface which can't see the default gateway. TO cut a long story short 
it aint working unless i can convince the reply packets to leave out the 
same interface. Putting a route in works for some but not all users, what 
i really need is to be able to redirect all the request as they try to go 
out eth1 to the gateway on eth0.

I've been trying this command:-

/sbin/iptables -t nat -A PREROUTING -o eth1 -p tcp --sport 15871 -j 
REDIRECT -d xxx.xxx.xxx.193
or
/sbin/iptables -t nat -A OUTPUT -o eth1 -p tcp -s xxx.xxx.xxx.xxx -j 
REDIRECT -d xxx.xxx.xxx.193

I'm really new to iptables, only having done what the squid installation 
required, can anyone help with how to write a rule that does what i need?

Chris
===============================================
If the only tool you have is a hammer, every problem looks like a nail.

Re: Rule syntax

[Jörg Harmuth]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi,

your problem is, that the routing decision (here especially the
outgoing interface) is made before any chain is traversed. Even more,
the REDIRECT target redirects the packages to localhost, it does not
redirect to another host. So this will not work.

Using DNAT in OUTPUT will not work too, see above. I think, you should
try the ROUTE target from Pach-O-Matic, it promises to do the trick.
Last month there was a thread on this list about the ROUTE target, may
be you can find additional information there.

Sorry, I don't use this, so I can't help better.

Have a nice time,

Jörg

PS: PREROUTING is traversed only by incomming packets and never by
outgoing packets.

Chris Edwards schrieb:

| Hi,
|
| Need a bit of help with a rule. I've got a redhat box running a
| squid/websense installation. It's dualled interfaced on different
| network, and due to an update websense has done, is only
| contactable on the interface which can't see the default gateway.
| TO cut a long story short it aint working unless i can convince the
| reply packets to leave out the same interface. Putting a route in
| works for some but not all users, what i really need is to be able
| to redirect all the request as they try to go out eth1 to the
| gateway on eth0.
|
| I've been trying this command:-
|
| /sbin/iptables -t nat -A PREROUTING -o eth1 -p tcp --sport 15871 -j
|  REDIRECT -d xxx.xxx.xxx.193 or /sbin/iptables -t nat -A OUTPUT -o
| eth1 -p tcp -s xxx.xxx.xxx.xxx -j REDIRECT -d xxx.xxx.xxx.193
|
| I'm really new to iptables, only having done what the squid
| installation required, can anyone help with how to write a rule
| that does what i need?
|
| Chris =============================================== If the only
| tool you have is a hammer, every problem looks like a nail.



- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach

Tel.: (+49) 22 26  87 18 12
Fax:  (+49) 22 26 87 18 19
mail: harmuth@mnemon.de
Web:  http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.

This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFCJG9Et9fkjiZ7IE8RAvZnAJ9vW9t1ZBxiGLiRAUKTdzy4aOMBGACeOAJh
rVxs515J+RVvTqT9Wet76QE=
=Ezvb
-----END PGP SIGNATURE-----