From: Georgi Alexandrov <tehlists@hotpop.com>
To: netfilter@lists.netfilter.org
Subject: Re: Transparent proxy to remote squid box
Date: Thu, 12 May 2005 20:00:05 +0300 [thread overview]
Message-ID: <42838B95.4080901@hotpop.com> (raw)
In-Reply-To: <4283892B.1080005@hotpop.com>
Georgi Alexandrov wrote:
> ro0ot wrote:
>
>> Hi,
>>
>> I have a working "transparent proxy to remote squid box" rules as
>> below: -
>>
>> $IPTABLES -t nat -A PREROUTING -i eth1 -s ! 10.59.2.4 -p tcp --dport
>> 80 -j DNAT --to 10.59.2.4:3128
>> $IPTABLES -t nat -A POSTROUTING -o eth1 -s 10.59.2.0/24 -d 10.59.2.4
>> -j SNAT --to 10.59.2.1
>> $IPTABLES -t filter -A FORWARD -s 10.59.2.0/24 -d 10.59.2.4 -i eth1
>> -o eth1 -p tcp --dport 3128 -j ACCEPT
>>
>> How can I not route the following network "1.1.1.0/24" to the remote
>> squid box using IPTABLES?
>>
>> Regards,
>> ro0ot
>>
>>
> Hello,
>
> U can put 1 rule above the DNAT like this:
>
> $IPTABLES -t nat -A PREROUTING -i eth1 -s 1.1.1.0/24 -p tcp --dport 80
> -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -i eth1 -s ! 10.59.2.4 -p tcp --dport
> 80 -j DNAT --to 10.59.2.4:3128
>
> The first rule matches the requests coming from 1.1.1.0/24 to tcp port
> 80 and accepts them, e.g. the packets won't hit the next rule.
>
> P.S.
> you probably meant 10.1.1.0/24 ?
>
> regards,
> Georgi Alexandrov
>
>
For the sake of completeness - you can also you the RETURN target in the
first rule, that will cause packets not to travel this chain anymore and
hit the chain's default policy. In most cases it's "ACCEPT" so the
RETURN target will do, if the chain's policy is DROP you should use the
ACCEPT target in the first rule.
regards,
Georgi Alexandrov
prev parent reply other threads:[~2005-05-12 17:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-12 16:08 Transparent proxy to remote squid box ro0ot
2005-05-12 16:49 ` Georgi Alexandrov
2005-05-12 17:00 ` Georgi Alexandrov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42838B95.4080901@hotpop.com \
--to=tehlists@hotpop.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox