From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
To: netfilter@lists.netfilter.org
Subject: Re: Differentiating direct, and redirected access?
Date: Mon, 18 Oct 2004 10:50:03 -0500 [thread overview]
Message-ID: <4173E62B.6010708@pbl.ca> (raw)
In-Reply-To: <20041018021948.48396.qmail@web50902.mail.yahoo.com>
J Kim wrote:
> Hello all,
>
> I'm running a squid at port 3128 as a transparent proxy.
>
> There are requests coming directly to 3128 port and
> those coming to 80 port and then redirected to 3128 by
> following rule:
>
> -t nat -A PREROUTING -i eth0 -p tcp -m tcp \
> --dport 80 -j REDIRECT --to-ports 3128
>
> What I want is block direct requests to 3128, allowing
> redirected access (transparent proxy) only. How do I do it?
>
> If I just set up a rule in filter chain like:
>
> -t filter -A INPUT -i eth0 -p tcp -m tcp \\
> --dport 3128 -j DROP
>
> Those requests redirected from port 80 to 3128 are also
> blocked by this rule. It seems that the redirected packets
> come in to this chain once again with the new port number.
This is because PREROUTING chain is done before INPUT chain, so dst port
of packets was already modified to 3128. You need to drop packets in
PREROUTING chain, before REDIRECT rule:
-t nat -A PREROUTING ..... --dport 3128 -j DROP
-t nat -A PREROUTING ..... --dport 80 -j REDIRECT ....
BTW, question for smarter than me, if there are rules in both nat and
mangle PREROUTING chains, which are traversed first? If mangle is done
before nat, than one solution could also be:
-t mangle -A PREROUTING ..... --dport 3128 -j MARK --set-mark 1
-t nat -A PREROUTING ..... --dport 80 -j REDIRECT .....
-t filter -A INPUT .... -m mark --mark 1 -j DROP
Suboptimal (more work), but should work if for whatever reason somebody
wants to keep all filtering to filter table (if mangle table is done
before nat table, of course).
It would be ideal (and most optimal) if the match was possible in filter
table based on original value of dst port. Kind of vaugly remember
reading about such an extension, but I might be wrong (it might not exist).
--
Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
next prev parent reply other threads:[~2004-10-18 15:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-18 2:19 Differentiating direct, and redirected access? J Kim
2004-10-18 15:50 ` Aleksandar Milivojevic [this message]
2004-10-18 18:14 ` Jose Maria Lopez
-- strict thread matches above, loose matches on Subject: below --
2004-10-18 14:24 Jason Opperisano
2004-10-18 17:34 ` Ложечник Александр
2004-10-18 14:40 Jason Opperisano
2004-10-18 18:18 ` Ложечник Александр
2004-10-19 2:15 J Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4173E62B.6010708@pbl.ca \
--to=amilivojevic@pbl.ca \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox