Re: REDIRECT question

Re: REDIRECT question

[Ruslan Spivak]

Chris Wilson wrote:

>Hi Ruslan,
>
>  
>
>>I just want to be sure that after redirecting, the packet is going to 
>>input chain where i can filter it. (am i right?)
>>    
>>
>
>As far as I know, that's right.
>
>Cheers, Chris.
>  
>
One more question, please.

I have three nets that located in our city and i treat them as local, 
cause we have direct connection with that networks.
i need to redirect traffic that is going to outside world to port 
3128(squid) and traffic to local nets leave alone.
Following your previous advices, i have made suggestions about how it 
should look:

LOCAL_NET_1=193.108.240.0/22
LOCAL_NET_2=193.220.70.32/27
LOCAL_NET_3=193.220.70.64/27

iptables -t nat -N REDIRECT_CHAIN
iptables -t nat -A REDIRECT_CHAIN -p tcp -d  $LOCAL_NET_1 --dport 80 -j 
RETURN
iptables -t nat -A REDIRECT_CHAIN -p tcp -d  $LOCAL_NET_2 --dport 80 -j 
RETURN
iptables -t nat -A REDIRECT_CHAIN -p tcp -d  $LOCAL_NET_3 --dport 80 -j 
RETURN
iptables -t nat -A REDIRECT_CHAIN -p tcp --dport 80 -j REDIRECT 
--to-port 3128
iptables -t nat -A PREROUTING -j REDIRECT_CHAIN

Can you tell me if i'm on on a right way?

Again, thanks in advance.

Best regards,
Ruslan

Redirect question

[Danny]

Good day,

My setup is:

     wlan0 ----> br0 -----> eth0 =====> router
     internal    internal   internal
     10.0.0.5    10.0.0.4   10.0.0.3    10.0.0.2
     (apache:80)
     (squid:3128)
     (iptables)

I am running Debian 7 with a few servers on it. Everything is fine. Squid is
fine if I configure browsers to use the proxy 10.0.0.5:3128.

However, all internal clients can still connect to the internet if I do not tell
them to go through the proxy.

I have a simple iptables setup:

####################################################################################
# Generated by iptables-save v1.4.14 on Sat Mar  22 16:28:57 2014
*nat
:PREROUTING ACCEPT [76:4907]
:INPUT ACCEPT [24:1899]
:OUTPUT ACCEPT [117:9446]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Mon Mar  3 16:28:57 2014
# Generated by iptables-save v1.4.14 on Mon Mar  3 16:28:57 2014
*filter
:INPUT ACCEPT [462:67612]
:FORWARD ACCEPT [112:5720]
:OUTPUT ACCEPT [354:42889]
-A FORWARD -s 10.0.0.0/24 -i eth0 -o wlan0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Mar  22 16:28:57 2014
####################################################################################

How would I go about routing all the local clients to squid's port 3128?

I have tried the following, but it doesn't work

-t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
-t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
-t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128

Thank You

Danny

Re: Redirect question

[Nikolai Lusan]

[-- Attachment #1: Type: text/plain, Size: 723 bytes --]

On Sat, 2014-03-22 at 15:38 +0200, Danny wrote:

> However, all internal clients can still connect to the internet if I do not tell
> them to go through the proxy.

You need to to a DNAT on the packets before they hit the net.



> How would I go about routing all the local clients to squid's port 3128?

iptables -t NAT - A PREROUTING -p tcp --dport 80 -j DNAT\
--to-destination <squid_IP>:3128

that is the simplest way - you do need to change some of the squid
config though. These days the TPROXY method is preferred though you
should read http://wiki.squid-cache.org/Features/Tproxy4

Also it's worth reading more about DNAT and TPROXY in the man pages.

-- 
Nikolai Lusan <nikolai@lusan.id.au>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Redirect Question

[Gary W. Smith]

We have a client moving offices and will need to migrate their DNS (and some of their DNS entries) over at some point in time.  But for a variety of reasons we cannot do that.  They have 16 IP's at their current location and will get another 16 at their new location.
 
What we would like to do is to have the firewall rewrite or redirect all traffic coming in on two IP's and redirect them to two destination IP's on the new firewall.
 
i.e. they have 205.34.43.1/28 and 206.32.43.1/28.  We want all traffic that is currently destined for 205.34.43.2 to go to 206.32.43.2.  These are not at the same location.
 
What is the easiest way to accomplish this?  both locations are running RHEL3 and a fairly basic configuration with iptables.
 
Gary Wayne Smith

Re: Redirect Question

[Gavin Hamill]

On Friday 04 March 2005 22:59, Gary W. Smith wrote:
> We have a client moving offices and will need to migrate their DNS (and
> some of their DNS entries) over at some point in time.  But for a variety
> of reasons we cannot do that.  They have 16 IP's at their current location
> and will get another 16 at their new location.
>
> What we would like to do is to have the firewall rewrite or redirect all
> traffic coming in on two IP's and redirect them to two destination IP's on
> the new firewall.

Here, this should help, since I had to do exactly the same thing, although for 
a single IP address (one machine moving co-lo premises)

# Make the firewall act as a non-caching TCP proxy. Useful for machine moves 
whilst DNS propogates.
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -d 194.200.209.137 -j DNAT 
--to 213.2.4.33
$IPTABLES -A FORWARD -p tcp --dport 80 -d 194.200.209.137 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 80 -d 213.2.4.33 -j SNAT --to 
194.200.209.137

In this case the old IP is 194.x.x.x and the new one is 213.x.x.x

All traffic will then appear to come from the machine on the 194.x.x.x network 
doing the redirecting...

gdh

RE: REDIRECT question

[George Vieira]

PREROUTING only works for real packets being received from the network and not locally generated packets (localhost). So with localhost, the packets do not leave the wire and come back for PREROUTING to work, I think only INPUT/FORWARD/OUTPUT will receive these localhost packets.

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Ruslan Spivak [mailto:alienoid@is.lg.ua]
Sent: Friday, July 11, 2003 9:09 PM
To: netfilter@lists.netfilter.org
Subject: REDIRECT question


Hello!

Can you help me with the following:

i try to make REDIRECT on my local host -

$IPTABLES -t nat -N REDIRECT_CHAIN
$IPTABLES -t nat -A REDIRECT_CHAIN -p tcp --dport 80 -j REDIRECT 
--to-port 7080
$IPTABLES -t nat -A PREROUTING -j REDIRECT_CHAIN

When users in my LAN connect to my host's 80 port they are redirected to 
7080 - it's ok. But when i try to do on my host - telnet localhost 80 - 
i get connection refused (looks like redirection doesn't work). What 
maybe the problem?

Best regards,
Ruslan

REDIRECT question

[Ruslan Spivak]

Hello!

Can you help me with the following:

i try to make REDIRECT on my local host -

$IPTABLES -t nat -N REDIRECT_CHAIN
$IPTABLES -t nat -A REDIRECT_CHAIN -p tcp --dport 80 -j REDIRECT 
--to-port 7080
$IPTABLES -t nat -A PREROUTING -j REDIRECT_CHAIN

When users in my LAN connect to my host's 80 port they are redirected to 
7080 - it's ok. But when i try to do on my host - telnet localhost 80 - 
i get connection refused (looks like redirection doesn't work). What 
maybe the problem?

Best regards,
Ruslan

REDIRECT question

[Ruslan Spivak]

Hello, netfilter users.

i want make transaparent proxy on localhost and want to disabe access 
after redirecting to port 3128 if destination address in net other then 
193.108.240.0/22.
Does REDIRECT target send packet to INPUT chain and i should disable 
access in INPUT chain or should i disable access in '-t nat -A 
POSTROUTING' chain?

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
--to-port 3128


Thanks in advance. Your help is very, very appreciated.

Best regards,
Ruslan

Re: REDIRECT question

[Chris Wilson]

Hi Ruslan,

> i want make transaparent proxy on localhost and want to disabe access 
> after redirecting to port 3128 if destination address in net other then 
> 193.108.240.0/22.
> Does REDIRECT target send packet to INPUT chain and i should disable 
> access in INPUT chain or should i disable access in '-t nat -A 
> POSTROUTING' chain?

You will not be able to disable access in the POSTROUTING chain, since 
after reading the REDIRECT rule, no further rules in that chain are 
processed. In any case, it is not recommended to filter in the nat table. 
The best place to put your filtering rule is in the INPUT chain.

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

Re: REDIRECT question

[Ruslan Spivak]

Chris Wilson wrote:

>Hi Ruslan,
>
>  
>
>>i want make transaparent proxy on localhost and want to disabe access 
>>after redirecting to port 3128 if destination address in net other then 
>>193.108.240.0/22.
>>Does REDIRECT target send packet to INPUT chain and i should disable 
>>access in INPUT chain or should i disable access in '-t nat -A 
>>POSTROUTING' chain?
>>    
>>
>
>You will not be able to disable access in the POSTROUTING chain, since 
>after reading the REDIRECT rule, no further rules in that chain are 
>processed. In any case, it is not recommended to filter in the nat table. 
>The best place to put your filtering rule is in the INPUT chain.
>
>Cheers, Chris.
>
Hello, Chris.

I just want to be sure that after redirecting, the packet is going to 
input chain where i can filter it. (am i right?)

Thanks for your reply.

Best regards,
Ruslan