not solve yet!!!

not solve yet!!!

[john decot]

Hello all,
 i am facing a problem in iptables as follows:
  i have  single nic which ip is eth0= x.x.x.x(public_ip)
    alias is  eth0:1=y.y.y.y( private_ip)
the proxy works when ip of server and port 3128 at lan connection is 
configured at client side(windows os).
But doesn't work without that whenever i flow traffic to proxy server, 
again i have used ip tables as:
 
iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j REDIRECT --to-port 3128
 
with above it doesn't work then i tried following
iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j DNAT  
$public_ip or $private_ip:3128
 
again the same result.
client pc and server is connect at same switch. and clients have 
private ip where as server has public as well as private ip.
any help will be appreciated.
 
thanks in advance.
john
 

		
---------------------------------
 Start your day with Yahoo! - make it your home page 

RE: not solve yet!!!

[Anthony Sadler]

John:

This is the rule I use on our servers:

"iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
--to-port 3128"

The only difference I can see is in the order... I don't know if that
matters.

Hope that helps!

Anthony Sadler
Far Edge Technology
w: (02) 8425 1400
 
-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of john decot
Sent: Monday, 25 July 2005 4:08 PM
To: netfilter@lists.netfilter.org
Subject: not solve yet!!!

Hello all,
 i am facing a problem in iptables as follows:
  i have  single nic which ip is eth0= x.x.x.x(public_ip)
    alias is  eth0:1=y.y.y.y( private_ip) the proxy works when ip of server
and port 3128 at lan connection is configured at client side(windows os).
But doesn't work without that whenever i flow traffic to proxy server, again
i have used ip tables as:
 
iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j REDIRECT
--to-port 3128
 
with above it doesn't work then i tried following iptables -A PREROUTING -t
nat -p tcp --dport 80 -i eth0 -j DNAT $public_ip or $private_ip:3128
 
again the same result.
client pc and server is connect at same switch. and clients have private ip
where as server has public as well as private ip.
any help will be appreciated.
 
thanks in advance.
john
 

		
---------------------------------
 Start your day with Yahoo! - make it your home page 

Re: not solve yet!!!

[Sergio Basurto Juarez]

--- john decot <johndecot@yahoo.com> wrote:

> Hello all,
>  i am facing a problem in iptables as follows:
>   i have  single nic which ip is eth0=
> x.x.x.x(public_ip)
>     alias is  eth0:1=y.y.y.y( private_ip)
> the proxy works when ip of server and port 3128 at
> lan connection is 
> configured at client side(windows os).
> But doesn't work without that whenever i flow
> traffic to proxy server, 
> again i have used ip tables as:
>  
> iptables -A PREROUTING -t nat -p tcp --dport 80 -i
> eth0 -j REDIRECT --to-port 3128
>  
> with above it doesn't work then i tried following
> iptables -A PREROUTING -t nat -p tcp --dport 80 -i
> eth0 -j DNAT  
> $public_ip or $private_ip:3128
>  
> again the same result.
> client pc and server is connect at same switch. and
> clients have 
> private ip where as server has public as well as
> private ip.
> any help will be appreciated.
>  
> thanks in advance.
> john
Did you configured your proxy in order to act as a
transparen proxy I mean for example in squid is:

    * httpd_accel_host virtual
    * httpd_accel_port 80
    * httpd_accel_with_proxy on
    * httpd_accel_uses_host_header on

and it should work. I suppose you are listenning on
eth0 for incomming requests.

I hope this help.

Regards

-- 
Sergio Basurto J.

If I have seen further it is by standing on the 
shoulders of giants. (Isaac Newton)
--


		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 
 

RE: not solve yet!!!

[Jan Engelhardt]

>This is the rule I use on our servers:
>
>"iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
>--to-port 3128"
>
>The only difference I can see is in the order... I don't know if that
>matters.

Order is a little more important than on most posixy apps. You can't, for 
example, specify --dport without giving -p tcp beforehand.



Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/

Re: not solve yet!!!

[Jörg Harmuth]

john decot schrieb:
> Hello all,
>  i am facing a problem in iptables as follows:
>   i have  single nic which ip is eth0= x.x.x.x(public_ip)
>     alias is  eth0:1=y.y.y.y( private_ip)
> the proxy works when ip of server and port 3128 at lan connection is 
> configured at client side(windows os).
> But doesn't work without that whenever i flow traffic to proxy server, 
> again i have used ip tables as:
>  
> iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j REDIRECT --to-port 3128
>  
> with above it doesn't work then i tried following
> iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j DNAT  
> $public_ip or $private_ip:3128
>  
> again the same result.

First configure your proxy to act transparently as Sergio pointed out.
Make sure the proxy is listening on the correct IP(s).

Did you check if your REDIRECT rule is hit (iptables -t nat -nvxL) ? If
the counters increase with each connection attempt, the rule is ok and
the reason is probably the proxy configuration.

If your rule is not hit, try if omitting "-i eth0" changes something.
Possibly there are some more low hanging fruits. Does the clients
default gateway point to your proxy server ? Are there any other rules,
that make connections impossible ? Does the proxy server-name resolve to
your clients ? Did you tcpdump the traffic to see, if packets make it to
the proxy and if so, what is in the conntrack table ? What is your
complete ruleset (either the output of iptables-save or iptables -t
$TABLE_NAME -nvxL) ?

Just some thoughts ;)

HTH and have a nice time,

Joerg