From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Juliano Murlick" Subject: REDIRECT Date: Thu, 7 Aug 2003 14:37:41 -0300 Sender: netfilter-admin@lists.netfilter.org Message-ID: Reply-To: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_003C_01C35CF1.74CA8910" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_003C_01C35CF1.74CA8910 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello All, I wanna rediect all conections from 192.168.1.0/24 network to a 10.0.0.2 server on 80 port for a 172.65.15.11 server, also on 80 port, for = that, i did some things:=20 =20 1 - All rules/iptables is on route 1; 2 - The route 2 don't filter any packet, just route, i can ping from a client machine (192.168.1.25) to the both server and connect to a 80 = port on both server, and then, i don't have any problem of routing. When a read = the rules i can't connect any more on server 10.0.0.2, just direct to a = server 172.16.15.11; 3 - My rules on iptables are: =20 iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 10.0.0.2--dport 80 -j ACCEPT iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 172.16.15.11--dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --sport 1024:65535 -d 10.0.0.2 --dport 80 -j DNAT --to 172.16.15.11:80 =20 =20 (Server 1) +----------+ (Client) ( Linux - Router 1) |----| 10.0.0.2 | +---------------+ +-----------------------+ | +----------+ | 192.168.1.25 |----|192.168.1.1 / 10.0.0.1 |----| = +---------------+ +-----------------------+ | (Route 2) (Server 2) | +----------------------+ +--------------+ |----|10.0.0.3 / 172.16.15.1|----| 172.16.15.11 | =20 +----------------------+ +--------------+ =20 =20 But it doesn't working ... anyone has any idea ???=20 =20 Thanks in advance! =20 Att, Juliano Murlick =20 ------=_NextPart_000_003C_01C35CF1.74CA8910 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello=20 All,

I wanna=20 rediect all conections from 192.168.1.0/24 network to=20 a 10.0.0.2 server on 80 port for a 172.65.15.11 = server, also=20 on 80 port, for that, i did some=20 things:

1 - All=20 rules/iptables is on route 1;

2 - The=20 route 2 don't filter any packet, just route, i can ping from a client = machine=20 (192.168.1.25) to the both server and connect to a 80 port on both = server, and=20 then, i don't have any problem of routing. When a read the rules i = can't=20 connect any more on server 10.0.0.2, just direct to a server=20 172.16.15.11;

3 - My rules=20 on iptables are:

iptables -A FORWARD = -p tcp -s=20 192.168.1.0/24 --sport 1024:65535 -d 10.0.0.2--dport 80 -j=20 ACCEPT

iptables -A FORWARD -p tcp = -s=20 192.168.1.0/24 --sport 1024:65535 -d 172.16.15.11--dport 80 -j=20 ACCEPT
iptables -t nat -A PREROUTING -p tcp = --sport=20 1024:65535 -d 10.0.0.2 --dport 80 -j DNAT --to=20 172.16.15.11:80

&nbs= p; = ; = &= nbsp; =20 (Server 1)

&nbs= p; = ; = ; = =20 +----------+

= (Client) ( Linux - Router=20 1) |----| 10.0.0.2=20 |

+---------------+ +-----------------------+ =20 | =20 +----------+

| 192.168.1.25 |----|192.168.1.1 / 10.0.0.1 |----| = &= nbsp; =20

+---------------+ =20 +-----------------------+ =20 | (Route=20 2) = ; =20 (Server 2)

&nbs= p; = ; = ; = | =20 +----------------------+ =20 +--------------+

=20 = <= /SPAN> &= nbsp; = |----|10.0.0.3 /=20 172.16.15.1|----| 172.16.15.11=20 |

&nbs= p; &nbs= p; = ; &nbs= p; +----------------------+ =20 +--------------+

But it=20 doesn't working ... anyone has any idea ???

Thanks in=20 advance!

Att,
Juliano Murlick

------=_NextPart_000_003C_01C35CF1.74CA8910-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Juliano Murlick" Subject: REDIRECT Date: Thu, 7 Aug 2003 16:22:38 -0300 Sender: netfilter-admin@lists.netfilter.org Message-ID: Reply-To: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0089_01C35D00.1E4F4300" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_0089_01C35D00.1E4F4300 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello All, I wanna rediect all conections from 192.168.1.0/24 network to a 10.0.0.2 server on 80 port for a 172.65.15.11 server, also on 80 port, for = that, i did some things:=20 =20 1 - All rules/iptables is on route 1; 2 - The route 2 don't filter any packet, just route, i can ping from a client machine (192.168.1.25) to the both server and connect to a 80 = port on both server, and then, i don't have any problem of routing. When a read = the rules i can't connect any more on server 10.0.0.2, just direct to a = server 172.16.15.11; 3 - My rules on iptables are: =20 iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 10.0.0.2--dport 80 -j ACCEPT iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 172.16.15.11--dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --sport 1024:65535 -d 10.0.0.2 --dport 80 -j DNAT --to 172.16.15.11:80 =20 =20 (Server 1) +----------+ (Client) ( Linux - Router 1) |----| 10.0.0.2 | +---------------+ +-----------------------+ | +----------+ | 192.168.1.25 |----|192.168.1.1 / 10.0.0.1 |----| = +---------------+ +-----------------------+ | (Route 2) (Server 2) | +----------------------+ +--------------+ |----|10.0.0.3 / 172.16.15.1|----| 172.16.15.11 | =20 +----------------------+ +--------------+ =20 =20 But it doesn't working ... anyone has any idea ???=20 =20 Thanks in advance! =20 Att, Juliano Murlick =20 ------=_NextPart_000_0089_01C35D00.1E4F4300 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello=20 All,

I wanna=20 rediect all conections from 192.168.1.0/24 network to=20 a 10.0.0.2 server on 80 port for a 172.65.15.11 = server, also=20 on 80 port, for that, i did some=20 things:

1 - All=20 rules/iptables is on route 1;

3 - My rules=20 on iptables are:

iptables -A FORWARD = -p tcp -s=20 192.168.1.0/24 --sport 1024:65535 -d 10.0.0.2--dport 80 -j=20 ACCEPT

&nbs= p; = ; = &= nbsp; =20 (Server 1)

&nbs= p; = ; = ; = =20 +----------+

= (Client) ( Linux - Router=20 1) |----| 10.0.0.2=20 |

+---------------+ +-----------------------+ =20 | =20 +----------+

| 192.168.1.25 |----|192.168.1.1 / 10.0.0.1 |----| = &= nbsp; =20

+---------------+ =20 +-----------------------+ =20 | (Route=20 2) = ; =20 (Server 2)

&nbs= p; = ; = ; = | =20 +----------------------+ =20 +--------------+

=20 = <= /SPAN> &= nbsp; = |----|10.0.0.3 /=20 172.16.15.1|----| 172.16.15.11=20 |

&nbs= p; &nbs= p; = ; &nbs= p; +----------------------+ =20 +--------------+

But it=20 doesn't working ... anyone has any idea ???

Thanks in=20 advance!

Att,
Juliano Murlick

------=_NextPart_000_0089_01C35D00.1E4F4300-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "George Vieira" Subject: RE: REDIRECT Date: Fri, 8 Aug 2003 07:53:01 +1000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <09B04A55822EFF4DA48D2E0BB2941D4A15C077@wardrive.citadelcomputer.com.au> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C35D2E.45E8073E" Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: jmurlick@sicredi.com.br, netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C35D2E.45E8073E Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Please don't use the word "it" as "it" doesn't define the problem. =20 You have 3 networks (192.168.1.0/24,10.0.0.X,172.16.15.X), are all the = default gateways been defined? Have you done a tcpdump and log packets to determine where it's getting = stuck? =20 Your problem is most likely that Server1 either doesn't have routes for = those networks (since your not using MASQUERADE) or you have DROP rules = which aren't shown on this email. Are all the default policies ACCEPT or DROP or what? Thanks, =20 ____________________________________________ George Vieira Citadel Computer Systems Pty Ltd Systems Manager georgev AT = citadelcomputer DOT com DOT au=20 Citadel Computer Systems Pty Ltd Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698 = http://www.citadelcomputer.com.au =20 =20 -----Original Message----- From: Juliano Murlick [mailto:jmurlick@sicredi.com.br] Sent: Friday, August 08, 2003 3:38 AM To: netfilter@lists.netfilter.org Subject: REDIRECT Importance: High Hello All, I wanna rediect all conections from 192.168.1.0/24 network to a 10.0.0.2 = server on 80 port for a 172.65.15.11 server, also on 80 port, for = that, i did some things:=20 =20 1 - All rules/iptables is on route 1; 2 - The route 2 don't filter any packet, just route, i can ping from a = client machine (192.168.1.25) to the both server and connect to a 80 = port on both server, and then, i don't have any problem of routing. When = a read the rules i can't connect any more on server 10.0.0.2, just = direct to a server 172.16.15.11; 3 - My rules on iptables are: =20 iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d = 10.0.0.2--dport 80 -j ACCEPT iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d = 172.16.15.11--dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --sport 1024:65535 -d 10.0.0.2 = --dport 80 -j DNAT --to 172.16.15.11:80 =20 =20 (Server 1) +----------+ (Client) ( Linux - Router 1) |----| 10.0.0.2 | +---------------+ +-----------------------+ | +----------+ | 192.168.1.25 |----|192.168.1.1 / 10.0.0.1 |----| = +---------------+ +-----------------------+ | (Route 2) = (Server 2) | = +----------------------+ +--------------+ |----|10.0.0.3 / = 172.16.15.1|----| 172.16.15.11 | = +----------------------+ +--------------+ =20 =20 But it doesn't working ... anyone has any idea ???=20 =20 Thanks in advance! =20 Att, Juliano Murlick =20 ------_=_NextPart_001_01C35D2E.45E8073E Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Please=20 don't use the word "it" as "it" doesn't define the = problem.

You=20 have 3 networks (192.168.1.0/24,10.0.0.X,172.16.15.X), are all the = default=20 gateways been defined?

Have=20 you done a tcpdump and log packets to determine where it's getting=20 stuck?

Your=20 problem is most likely that Server1 either doesn't have routes for those = networks (since your not using MASQUERADE) or you have DROP rules which = aren't=20 shown on this email.

Are=20 all the default policies ACCEPT or DROP or what?

Thanks,

____________________________________________George=20 Vieira
Citadel=20 Computer Systems Pty Ltd Systems=20 Manager georgev AT=20 citadelcomputer DOT com DOT au

Citadel Computer Systems Pty Ltd

Phone : +61 2 9955=20 2644 HelpDesk: +61 2 9955=20 2698 http://www.citadelcomputer.co= m.au

-----Original Message-----
From: Juliano Murlick=20 [mailto:jmurlick@sicredi.com.br]
Sent: Friday, August 08, 2003 = 3:38=20 AM
To: netfilter@lists.netfilter.org
Subject:=20 REDIRECT
Importance: High

Hello=20 All,

I wanna=20 rediect all conections from 192.168.1.0/24 network to=20 a 10.0.0.2 server on 80 port for a 172.65.15.11 = server, also=20 on 80 port, for that, i did some=20 things:

1 - All=20 rules/iptables is on route 1;

3 - My rules=20 on iptables are:

iptables -A FORWARD = -p tcp -s=20 192.168.1.0/24 --sport 1024:65535 -d 10.0.0.2--dport 80 -j=20 ACCEPT

&nbs= p; = ; = &= nbsp; =20 (Server 1)

&nbs= p; = ; = ; = =20 +----------+

= (Client) ( Linux - Router=20 1) |----| 10.0.0.2=20 |

+---------------+ +-----------------------+ =20 | =20 +----------+

| 192.168.1.25 |----|192.168.1.1 / 10.0.0.1 |----| = &= nbsp; =20

+---------------+ =20 +-----------------------+ =20 | (Route=20 2) = ; =20 (Server 2)

&nbs= p; = ; = ; = | =20 +----------------------+ =20 +--------------+

=20 = <= /SPAN> &= nbsp; = |----|10.0.0.3 /=20 172.16.15.1|----| 172.16.15.11=20 |

&nbs= p; &nbs= p; = ; &nbs= p; +----------------------+ =20 +--------------+

But it=20 doesn't working ... anyone has any idea ???

Thanks in=20 advance!

Att,
Juliano Murlick

------_=_NextPart_001_01C35D2E.45E8073E-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: ngabor@szbk.u-szeged.hu Subject: redirect Date: Fri, 13 May 2005 16:28:04 +0200 Message-ID: <1115994484.4284b97466b54@rosi.brc> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Hi. Main firewall PREROUTING Chain: ACCEPT all -- 192.168.10.x0 0.0.0.0/0 ACCEPT all -- 192.168.10.x1 0.0.0.0/0 ... DNAT tcp -- 0.0.0.0/0 x.y.z.v multiport dports 80,22,8180 to:192.168.30.y REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 r= edir ports 80 192.168.10.x0, 192.168.10.x1 internet enabled, other internal ip 192.168.10._ redirect main server 80 port. server x.y.z.v DNAT DMZ, if 192.168.10.x0, 192.168.10.x1 send http: to x.y.z.v pub.ip-address, then send my REDIRECTED SERVER. WHILE? by gab ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From mboxrd@z Thu Jan 1 00:00:00 1970 From: dhottinger@harrisonburg.k12.va.us Subject: redirect Date: Fri, 02 Mar 2007 07:41:07 -0500 Message-ID: <20070302074107.401q9rza8kwowwgs@mail.harrisonburg.k12.va.us> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; delsp="Yes"; format="flowed" To: "netfilter@lists.netfilter.org" I posted a question yesterday and I dont think I worded it very well. Im having problems with software updates on Apple computers. I think it is an issue with my squid proxy server. So I would like to make a rule set that says redirect all port 80 traffic except traffic going to apple.com's software update servers. When connecting to apple software updates you connect to swscan.apple.com which downloads an xml file, then get redirected to an akamaitechnologies.com server for the downloads. Im not quite certain yet why things are failing with my squid proxy server in the loop, but going around it lets the software updates work. So, if any of the iptables gurus have a formula for this I would be very happy to try. thanks, ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools From mboxrd@z Thu Jan 1 00:00:00 1970 From: TheGesus Subject: Re: redirect Date: Fri, 2 Mar 2007 07:51:25 -0500 Message-ID: <5e70f6530703020451m4d5b6490m3c811787ebef557@mail.gmail.com> References: <20070302074107.401q9rza8kwowwgs@mail.harrisonburg.k12.va.us> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=VSnM8NDHwnEStkMbONZ13veE5NQrh9ys1DuLuUtpHZZqMv7SNp40lc2ojzCUyvQ+4C6VgpSwdiuURlpXmEMo+iOfNaKMAOVJC6x9Z4Ajn1qNbuNh5UoGYIhvLgOyiPmuMkY7DakWjoA03DtIsKz3Aq8myG9MjCIITEskRqiswPo= In-Reply-To: <20070302074107.401q9rza8kwowwgs@mail.harrisonburg.k12.va.us> Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: "dhottinger@harrisonburg.k12.va.us" Cc: "netfilter@lists.netfilter.org" See below... apparently it's listening on port 95... Not Found The requested URL / was not found on this server. -------------------------------------------------------------------------------- Apache/1.3.33 Server at swscan.apple.com Port 95 On 3/2/07, dhottinger@harrisonburg.k12.va.us wrote: > I posted a question yesterday and I dont think I worded it very well. > Im having problems with software updates on Apple computers. I think > it is an issue with my squid proxy server. So I would like to make a > rule set that says redirect all port 80 traffic except traffic going > to apple.com's software update servers. When connecting to apple > software updates you connect to swscan.apple.com which downloads an > xml file, then get redirected to an akamaitechnologies.com server for > the downloads. Im not quite certain yet why things are failing with > my squid proxy server in the loop, but going around it lets the > software updates work. So, if any of the iptables gurus have a > formula for this I would be very happy to try. > > thanks, > > ddh > > > -- > Dwayne Hottinger > Network Administrator > Harrisonburg City Public Schools > > > From mboxrd@z Thu Jan 1 00:00:00 1970 From: dhottinger@harrisonburg.k12.va.us Subject: redirect Date: Tue, 06 Mar 2007 09:42:08 -0500 Message-ID: <20070306094208.csonro2nwc8kogso@webmail.harrisonburg.k12.va.us> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; delsp="Yes"; format="flowed" To: "netfilter@lists.netfilter.org" I currently redirect all traffic on port 80 to my proxy server with $IPC -t nat -A PREROUTING -p tcp -i ! $IF --dport 80 -s ! 204.111.40.0/24 -d ! 204.111.40.0/24 -j DNAT --to-destination $PROXY_IP:8080 I would like to have any traffic destined for apple.com excluded from this redirect. I cant seem to get the syntax right. Anyone got any ideas? thanks, ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools From mboxrd@z Thu Jan 1 00:00:00 1970 From: Georgi Alexandrov Subject: Re: redirect Date: Wed, 07 Mar 2007 18:14:21 +0200 Message-ID: <45EEE4DD.9090508@gmail.com> References: <20070306094208.csonro2nwc8kogso@webmail.harrisonburg.k12.va.us> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig1D64818F4AEB93CCFEDAAFC4" Return-path: DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:content-type; b=cMBVhB5rB1Ng7yrd9NxJBaqkvmm2EvTePbejP11X4BdkLYuqRRb/MQx8zNiCZkrXknLZB4oikZvV826MqG1TZZE7ocoTaTRGPt0cFqneeNjlgZXBaaL9Ee+LVrXE2TYlG09UdLQrNl9izrwdtMeweKs3lnY9P/SoivJT9jws8YE= In-Reply-To: <20070306094208.csonro2nwc8kogso@webmail.harrisonburg.k12.va.us> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org To: dhottinger@harrisonburg.k12.va.us Cc: "netfilter@lists.netfilter.org" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1D64818F4AEB93CCFEDAAFC4 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable dhottinger@harrisonburg.k12.va.us wrote: > I currently redirect all traffic on port 80 to my proxy server with > $IPC -t nat -A PREROUTING -p tcp -i ! $IF --dport 80 -s ! > 204.111.40.0/24 -d ! 204.111.40.0/24 -j DNAT --to-destination > $PROXY_IP:8080 >=20 > I would like to have any traffic destined for apple.com excluded from > this redirect. I cant seem to get the syntax right. Anyone got any id= eas? iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d $apples_net -j RETURN iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d $another_not_to_proxy_network -j RETURN iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -j DNAT --to $proxy:$port --=20 regards, Georgi Alexandrov key server - pgp.mit.edu :: key id - 0x37B4B3EE Key fingerprint =3D E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE --------------enig1D64818F4AEB93CCFEDAAFC4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFF7uTd+ZABwTe0s+4RAk3uAJ44t69OAQkmBndqFH0TJpuFXwRfbQCdFiVi E6BHccgMYd83DFIyTXtmWc8= =Fq3Y -----END PGP SIGNATURE----- --------------enig1D64818F4AEB93CCFEDAAFC4-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: dhottinger@harrisonburg.k12.va.us Subject: Re: redirect Date: Wed, 07 Mar 2007 11:43:58 -0500 Message-ID: <20070307114358.yro4pt0uo8s00ggc@webmail.harrisonburg.k12.va.us> References: <20070306094208.csonro2nwc8kogso@webmail.harrisonburg.k12.va.us> <45EEE4DD.9090508@gmail.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <45EEE4DD.9090508@gmail.com> Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; delsp="Yes"; format="flowed" To: Georgi Alexandrov Cc: "netfilter@lists.netfilter.org" Quoting Georgi Alexandrov : > dhottinger@harrisonburg.k12.va.us wrote: >> I currently redirect all traffic on port 80 to my proxy server with >> $IPC -t nat -A PREROUTING -p tcp -i ! $IF --dport 80 -s ! >> 204.111.40.0/24 -d ! 204.111.40.0/24 -j DNAT --to-destination >> $PROXY_IP:8080 >> >> I would like to have any traffic destined for apple.com excluded from >> this redirect. I cant seem to get the syntax right. Anyone got any idea= s? > > > iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d $apples_net > -j RETURN > > iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d > $another_not_to_proxy_network -j RETURN > > iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -j DNAT --to > $proxy:$port > > -- > regards, > Georgi Alexandrov > > key server - pgp.mit.edu :: key id - 0x37B4B3EE > Key fingerprint =3D E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE > > That seems to work. I did: $IPC -t nat -A PREROUTING -p tcp -i $IF --dport 80 -d 17.0.0.0/8 -j RETURN Dont see the connections in my access.log on my proxy now. --=20 Dwayne Hottinger Network Administrator Harrisonburg City Public Schools From mboxrd@z Thu Jan 1 00:00:00 1970 From: dhottinger@harrisonburg.k12.va.us Subject: Re: redirect Date: Wed, 07 Mar 2007 11:50:36 -0500 Message-ID: <20070307115036.qfmk9u7lwkkkoskw@webmail.harrisonburg.k12.va.us> References: <20070306094208.csonro2nwc8kogso@webmail.harrisonburg.k12.va.us> <45EEE4DD.9090508@gmail.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <45EEE4DD.9090508@gmail.com> Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; delsp="Yes"; format="flowed" To: Georgi Alexandrov Cc: "netfilter@lists.netfilter.org" Quoting Georgi Alexandrov : > dhottinger@harrisonburg.k12.va.us wrote: >> I currently redirect all traffic on port 80 to my proxy server with >> $IPC -t nat -A PREROUTING -p tcp -i ! $IF --dport 80 -s ! >> 204.111.40.0/24 -d ! 204.111.40.0/24 -j DNAT --to-destination >> $PROXY_IP:8080 >> >> I would like to have any traffic destined for apple.com excluded from >> this redirect. I cant seem to get the syntax right. Anyone got any idea= s? > > > iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d $apples_net > -j RETURN > > iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d > $another_not_to_proxy_network -j RETURN > > iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -j DNAT --to > $proxy:$port > > -- > regards, > Georgi Alexandrov > > key server - pgp.mit.edu :: key id - 0x37B4B3EE > Key fingerprint =3D E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE > > Never mind. Doesnt seem to be working. Any other ideas? ddh --=20 Dwayne Hottinger Network Administrator Harrisonburg City Public Schools From mboxrd@z Thu Jan 1 00:00:00 1970 From: Georgi Alexandrov Subject: Re: redirect Date: Thu, 08 Mar 2007 09:01:24 +0200 Message-ID: <45EFB4C4.9040707@gmail.com> References: <20070306094208.csonro2nwc8kogso@webmail.harrisonburg.k12.va.us> <45EEE4DD.9090508@gmail.com> <20070307115036.qfmk9u7lwkkkoskw@webmail.harrisonburg.k12.va.us> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigCE0672D7337DD8CBBF5228F9" Return-path: DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:content-type; b=Gzp9HBG2ZSY/JFPNGb6JiHL/ccnsFeHx7S4d7YxeMgxHcXNulByXs4rZ/Xf5CnMKN3RCZ/RRkhxB5scPjFITuQQYPYTaSXdOJE7AJwUTnBvFfe079JQ5IQq4mjVYsB/OAT3M/LTnVhuK0WSYnnon24gkVmCUavbHfb7jYWj2WPs= In-Reply-To: <20070307115036.qfmk9u7lwkkkoskw@webmail.harrisonburg.k12.va.us> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org To: dhottinger@harrisonburg.k12.va.us Cc: "netfilter@lists.netfilter.org" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigCE0672D7337DD8CBBF5228F9 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable dhottinger@harrisonburg.k12.va.us wrote: > Quoting Georgi Alexandrov : >=20 >> dhottinger@harrisonburg.k12.va.us wrote: >>> I currently redirect all traffic on port 80 to my proxy server with >>> $IPC -t nat -A PREROUTING -p tcp -i ! $IF --dport 80 -s ! >>> 204.111.40.0/24 -d ! 204.111.40.0/24 -j DNAT --to-destination >>> $PROXY_IP:8080 >>> >>> I would like to have any traffic destined for apple.com excluded from= >>> this redirect. I cant seem to get the syntax right. Anyone got any >>> ideas? >> >> >> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d $apples_n= et >> -j RETURN >> >> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d >> $another_not_to_proxy_network -j RETURN >> >> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -j DNAT --to= >> $proxy:$port >=20 > Never mind. Doesnt seem to be working. Any other ideas? What's not working? --=20 regards, Georgi Alexandrov key server - pgp.mit.edu :: key id - 0x37B4B3EE Key fingerprint =3D E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE --------------enigCE0672D7337DD8CBBF5228F9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFF77TN+ZABwTe0s+4RAvJLAJ45y64ULhrkYPgiInKqhfqu/cofyACfW+5z 5/LyMV6hVog+VaGzYCe7OUk= =bAYI -----END PGP SIGNATURE----- --------------enigCE0672D7337DD8CBBF5228F9-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: dhottinger@harrisonburg.k12.va.us Subject: Re: redirect Date: Thu, 08 Mar 2007 06:34:21 -0500 Message-ID: <20070308063421.y4spggseocogsc48@mail.harrisonburg.k12.va.us> References: <20070306094208.csonro2nwc8kogso@webmail.harrisonburg.k12.va.us> <45EEE4DD.9090508@gmail.com> <20070307115036.qfmk9u7lwkkkoskw@webmail.harrisonburg.k12.va.us> <45EFB4C4.9040707@gmail.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <45EFB4C4.9040707@gmail.com> Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; delsp="Yes"; format="flowed" To: netfilter@lists.netfilter.org Quoting Georgi Alexandrov : > dhottinger@harrisonburg.k12.va.us wrote: >> Quoting Georgi Alexandrov : >> >>> dhottinger@harrisonburg.k12.va.us wrote: >>>> I currently redirect all traffic on port 80 to my proxy server with >>>> $IPC -t nat -A PREROUTING -p tcp -i ! $IF --dport 80 -s ! >>>> 204.111.40.0/24 -d ! 204.111.40.0/24 -j DNAT --to-destination >>>> $PROXY_IP:8080 >>>> >>>> I would like to have any traffic destined for apple.com excluded from >>>> this redirect. I cant seem to get the syntax right. Anyone got any >>>> ideas? >>> >>> >>> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d $apples_net >>> -j RETURN >>> >>> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d >>> $another_not_to_proxy_network -j RETURN >>> >>> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -j DNAT --to >>> $proxy:$port > >> >> Never mind. Doesnt seem to be working. Any other ideas? > > What's not working? > > -- > regards, > Georgi Alexandrov > > key server - pgp.mit.edu :: key id - 0x37B4B3EE > Key fingerprint =3D E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE > > $IPC -t nat -A PREROUTING -p tcp -i $IF --dport 80 -d 17.250.0.0 -j RETURN Is not routing apple.com traffice away from my proxy. Apple.com =20 traffic is still getting routed to proxy server. I have the rule =20 placed above my dnat rule for the proxy. Any other ideas? thanks, ddh --=20 Dwayne Hottinger Network Administrator Harrisonburg City Public Schools From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jim Laurino Subject: Re: redirect (nfcan: addressed to exclusive sender for this address) Date: Thu, 8 Mar 2007 09:50:08 -0500 Message-ID: <20070308145008.GA11462@salty> References: <20070306094208.csonro2nwc8kogso@webmail.harrisonburg.k12.va.us> <45EEE4DD.9090508@gmail.com> <20070307115036.qfmk9u7lwkkkoskw@webmail.harrisonburg.k12.va.us> <45EFB4C4.9040707@gmail.com> <20070308063421.y4spggseocogsc48@mail.harrisonburg.k12.va.us> Reply-To: nfcan.x.jimlaur@dfgh.net Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: Content-Disposition: inline In-Reply-To: <20070308063421.y4spggseocogsc48@mail.harrisonburg.k12.va.us> (from +nfcan+jimlaur+67730951a3.dhottinger#harrisonburg.k12.va.us@spamgourmet.com on Thu, Mar 08, 2007 at 06:34:21 -0500) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; format="Flowed"; delsp="Yes"; charset="us-ascii" To: netfilter@lists.netfilter.org On 2007.03.08 06:34, dhottinger@harrisonburg.k12.va.us wrote: > Quoting Georgi Alexandrov : > ..... >>>>> I would like to have any traffic destined for apple.com excluded from >>>>> this redirect. I cant seem to get the syntax right. Anyone got any >>>>> ideas? >>>> >>>> >>>> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d $apples_net >>>> -j RETURN >>>> .... > > $IPC -t nat -A PREROUTING -p tcp -i $IF --dport 80 -d 17.250.0.0 > -j RETURN > > Is not routing apple.com traffice away from my proxy. Apple.com traffic is > still getting routed to proxy server. I have the rule placed above my dnat > rule for the proxy. Any other ideas? The example was non-specific, -d $apples_net. Your implementation, -d 17.250.0.0, is for a specific ip address. You probably meant to specify a range. Iptables allows you to use netmask or cidr syntax. You can cover all of Apple with 17.0.0.0/8 for instance. -- Jim Laurino nfcan.x.jimlaur@dfgh.net Please reply to the list. Only mail from the listserver reaches this address. From mboxrd@z Thu Jan 1 00:00:00 1970 From: dhottinger@harrisonburg.k12.va.us Subject: Re: redirect (nfcan: addressed to exclusive sender for this address) Date: Thu, 08 Mar 2007 09:58:09 -0500 Message-ID: <20070308095809.0jo1ofvyo80ok88w@webmail.harrisonburg.k12.va.us> References: <20070306094208.csonro2nwc8kogso@webmail.harrisonburg.k12.va.us> <45EEE4DD.9090508@gmail.com> <20070307115036.qfmk9u7lwkkkoskw@webmail.harrisonburg.k12.va.us> <45EFB4C4.9040707@gmail.com> <20070308063421.y4spggseocogsc48@mail.harrisonburg.k12.va.us> <20070308145008.GA11462@salty> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <20070308145008.GA11462@salty> Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; delsp="Yes"; format="flowed" To: netfilter@lists.netfilter.org Quoting Jim Laurino : > On 2007.03.08 06:34, dhottinger@harrisonburg.k12.va.us wrote: >> Quoting Georgi Alexandrov : >> > ..... >>>>>> I would like to have any traffic destined for apple.com excluded from >>>>>> this redirect. I cant seem to get the syntax right. Anyone got any >>>>>> ideas? >>>>> >>>>> >>>>> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d $apples_n= et >>>>> -j RETURN >>>>> > .... >> >> $IPC -t nat -A PREROUTING -p tcp -i $IF --dport 80 -d 17.250.0.0 >> -j RETURN >> >> Is not routing apple.com traffice away from my proxy. Apple.com traffic = is >> still getting routed to proxy server. I have the rule placed above my dn= at >> rule for the proxy. Any other ideas? > > The example was non-specific, -d $apples_net. > Your implementation, -d 17.250.0.0, is for a specific ip address. > You probably meant to specify a range. > Iptables allows you to use netmask or cidr syntax. > You can cover all of Apple with 17.0.0.0/8 for instance. > > -- > Jim Laurino > nfcan.x.jimlaur@dfgh.net > Please reply to the list. > Only mail from the listserver reaches this address. > Yes I know. Sorry I forgot part of my script. I did $IPC -t nat -A PREROUTING -p tcp -i $IF --dport 80 -d 17.250.0.0/16 -j RETUR= N Where $IF is the interface that connects to the internet. --=20 Dwayne Hottinger Network Administrator Harrisonburg City Public Schools From mboxrd@z Thu Jan 1 00:00:00 1970 From: Georgi Alexandrov Subject: Re: redirect (nfcan: addressed to exclusive sender for this address) Date: Fri, 09 Mar 2007 17:07:01 +0200 Message-ID: <45F17815.6030703@gmail.com> References: <20070306094208.csonro2nwc8kogso@webmail.harrisonburg.k12.va.us> <45EEE4DD.9090508@gmail.com> <20070307115036.qfmk9u7lwkkkoskw@webmail.harrisonburg.k12.va.us> <45EFB4C4.9040707@gmail.com> <20070308063421.y4spggseocogsc48@mail.harrisonburg.k12.va.us> <20070308145008.GA11462@salty> <20070308095809.0jo1ofvyo80ok88w@webmail.harrisonburg.k12.va.us> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig14E915BD38FFF28C12CBBFBE" Return-path: DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:content-type; b=WKGSNTYtVXj/wRJ4QGqWY0CGHTnu6oVvthpE6BU8FxIMcAFP3z99MAK5E73iOzQZeTtBKZQ1qRxJ93MD0sKavlYc/EAGBhM0ozlGTuFjSC8jE2rk+99YBaG781s+cmNnYW5LTK+3xU1hCRbozCxJbPeFhe50P/2zvEQVojn3Lr8= In-Reply-To: <20070308095809.0jo1ofvyo80ok88w@webmail.harrisonburg.k12.va.us> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org To: dhottinger@harrisonburg.k12.va.us Cc: netfilter@lists.netfilter.org This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig14E915BD38FFF28C12CBBFBE Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable dhottinger@harrisonburg.k12.va.us wrote: > Quoting Jim Laurino : >=20 >> On 2007.03.08 06:34, dhottinger@harrisonburg.k12.va.us wrote: >>> Quoting Georgi Alexandrov : >>> >> ..... >>>>>>> I would like to have any traffic destined for apple.com excluded >>>>>>> from >>>>>>> this redirect. I cant seem to get the syntax right. Anyone got = any >>>>>>> ideas? >>>>>> >>>>>> >>>>>> iptables -t nat -A PREROUTING -p tcp -i $iface --dport 80 -d >>>>>> $apples_net >>>>>> -j RETURN >>>>>> >> .... >>> >>> $IPC -t nat -A PREROUTING -p tcp -i $IF --dport 80 -d 17.250.0.0 >>> -j RETURN >>> >>> Is not routing apple.com traffice away from my proxy. Apple.com >>> traffic is >>> still getting routed to proxy server. I have the rule placed above >>> my dnat >>> rule for the proxy. Any other ideas? >> >> The example was non-specific, -d $apples_net. >> Your implementation, -d 17.250.0.0, is for a specific ip address. >> You probably meant to specify a range. >> Iptables allows you to use netmask or cidr syntax. >> You can cover all of Apple with 17.0.0.0/8 for instance. >> >> --=20 >> Jim Laurino >> nfcan.x.jimlaur@dfgh.net >> Please reply to the list. >> Only mail from the listserver reaches this address. >> >=20 > Yes I know. > Sorry I forgot part of my script. I did > $IPC -t nat -A PREROUTING -p tcp -i $IF --dport 80 -d 17.250.0.0/16 -j > RETURN >=20 > Where $IF is the interface that connects to the internet. No, it should be the interface that your clients are behind. First try to imagine it in your head then "draw" it with iptables rules ;= -) "I have to redirect all requests coming from my clients to the proxy server which is here. But I also want requests that are coming from my clients destined to apple's networks not hit the proxy and go directly to apple" in rules it goes like this: iptables -t nat -A PREROUTING -p tcp -i $clients_interface --dport 80 -d 17.0.0.0/8 -j RETURN iptables -t nat -A PREROUTING -p tcp -i $clients_interface --dport 80 -j DNAT --to $proxy_server:$proxy_port --=20 regards, Georgi Alexandrov key server - pgp.mit.edu :: key id - 0x37B4B3EE Key fingerprint =3D E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE --------------enig14E915BD38FFF28C12CBBFBE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFF8XgV+ZABwTe0s+4RAi5WAJ9VF08L0oLU46IYc9uHNfm5/IumXgCgnoD8 Zi6hJjR617Mw0tfZGroEjY8= =C7P5 -----END PGP SIGNATURE----- --------------enig14E915BD38FFF28C12CBBFBE-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: r00t Subject: REDIRECT Date: Mon, 13 Dec 2004 13:05:14 +0500 Message-ID: <899467342.20041213130514@server.titansoft.ru> Reply-To: r00t Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Return-path: To: netfilter-devel@lists.netfilter.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Hi all, How to i make by libipq this rule: -j REDIRECT --to-ports 3128 ? -- With regards, Meg From mboxrd@z Thu Jan 1 00:00:00 1970 From: Henrik Nordstrom Subject: Re: REDIRECT Date: Mon, 13 Dec 2004 11:23:11 +0100 (CET) Message-ID: References: <899467342.20041213130514@server.titansoft.ru> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: netfilter-devel@lists.netfilter.org Return-path: To: r00t In-Reply-To: <899467342.20041213130514@server.titansoft.ru> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org On Mon, 13 Dec 2004, r00t wrote: > How to i make by libipq this rule: > > -j REDIRECT --to-ports 3128 ? You don't. REDIRECT or other NAT related operations must be done in the kernel. Regards Henrik From mboxrd@z Thu Jan 1 00:00:00 1970 From: r00t Subject: REDIRECT Date: Mon, 13 Dec 2004 18:36:31 +0500 Message-ID: <1538174627.20041213183631@server.titansoft.ru> Reply-To: r00t Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Return-path: To: netfilter-devel@lists.netfilter.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Hi all, >> How to i make by libipq this rule: >> -j REDIRECT --to-ports 3128 ? >You don't. >REDIRECT or other NAT related operations must be done in the kernel. Ok, but if i use this: -A PREROUTING -p tcp -j QUEUE -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 And in the program: ipq_set_verdict(h, m->packet_id,NF_ACCEPT, 0, NULL); the packet not going to second rule(REDIRECT) Sorry to my english Best regards, Meg From mboxrd@z Thu Jan 1 00:00:00 1970 From: Meg Subject: Re: REDIRECT Date: Mon, 13 Dec 2004 19:11:53 +0500 Message-ID: <604750014.20041213191153@server.titansoft.ru> References: <1538174627.20041213183631@server.titansoft.ru> Reply-To: Meg Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Return-path: To: netfilter-devel@lists.netfilter.org In-Reply-To: <1538174627.20041213183631@server.titansoft.ru> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Hi, r00t. >>> How to i make by libipq this rule: >>> -j REDIRECT --to-ports 3128 ? >>You don't. >>REDIRECT or other NAT related operations must be done in the kernel. > Ok, but if i use this: > -A PREROUTING -p tcp -j QUEUE > -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 > And in the program: > ipq_set_verdict(h, m->packet_id,NF_ACCEPT, 0, NULL); > the packet not going to second rule(REDIRECT) -A FORWARD -p tcp -j QUEUE or -t nat -p tcp -j QUEUE this right by iptables, but not work -- Best regards, Meg mailto:root@server.titansoft.ru From mboxrd@z Thu Jan 1 00:00:00 1970 From: Henrik Nordstrom Subject: Re: REDIRECT Date: Mon, 13 Dec 2004 16:59:40 +0100 (CET) Message-ID: References: <1538174627.20041213183631@server.titansoft.ru> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: netfilter-devel@lists.netfilter.org Return-path: To: r00t In-Reply-To: <1538174627.20041213183631@server.titansoft.ru> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org On Mon, 13 Dec 2004, r00t wrote: > Ok, but if i use this: > > -A PREROUTING -p tcp -j QUEUE > -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 You can't. QUEUE terminates the PREROUTING hook. You need to queue before nat PREROUTING if you want to apply NAT rules on packets after QUEUE reinjects them to the kernel, i.e. from mangle or raw tables. Regards Henrik