Re: iptables transparent proxy

From: Antoine EMERIT (reply_to_replay_at_daubededaube.nothing)
Date: 06/13/04

  • Next message: Conny: "Re: Any (Free) on-line references/books on Network setup?" 
    Date: 13 Jun 2004 15:28:50 GMT

    fritz-bayer@web.de (Fritz Bayer) wrote
    news:a9c0aa9e.0406130107.1d02accb@posting.google.com:
    >> - bind the proxy to a specific ip, not to the lo interface

    bind the proxy to an alias interface, not the default one (e.g.
    192.168.1.10).

    >> - change your REDIRECT rule to a DNAT rule to forward port 80 from
    >> any ip except the proxy bind to port 8888 on the proxy binded address
    >>
    >> ex: bind the proxy to your internal ip 192.168.1.4
    ex: bind the proxy to your internal ip 192.168.1.10

    >> squit.conf:
    >> port=192.168.1.4:8888
    or tcp_incoming_address=192.168.1.10
         port=192.168.1.4:8888
    or tcp_incoming_address=192.168.1.10

    >> iptables -t nat -A PREROUTING -s !192.168.0.4 -d 0.0.0.0/0 -p tcp
    >> --dport 80 -i eth0 -j DNAT --to-destination 192.168.0.10:8888

    iptables -t nat -A PREROUTING -s !192.168.1.10 -d 0.0.0.0/0 -p tcp
    --dport 80 -i eth0 -j DNAT --to-destination 192.168.1.10:8888

    >> If this is not clear or fully functionnal, you may also add an ip
    >> alias on the proxy box and bind the proxy to this alias ip.

    That's the solution (see below).
     
     
    >> Regards
    >
    > But doesn't this mean: forward all new connections not comming from
    > 192.168.0.4 with destination port 80 to port 8888 on 192.168.0.10 ?

    Correct, so use an ip alias to separate the proxy trafic from the client
    one (web browser)
     
    > But that's not what I want. I mean I want all connections with
    > destination port 80 from the box on which the proxy is running to be
    > forwarded to the local port 8888. And those orginating from the proxy
    > to be sent out to the world.

    I've understand this, but my previous solution works only for the lo
    interface.

    Using an ip alias, as describe above, should work.

    Regards

  • Next message: Conny: "Re: Any (Free) on-line references/books on Network setup?"

    Relevant Pages

    • Re: iptables transparent proxy
      ... > local box to port 8888. ... that the proxy also ... - bind the proxy to a specific ip, ... If this is not clear or fully functionnal, you may also add an ip alias ...
      (comp.os.linux.networking)
    • Re: LDP Tool
      ... What is the ALIAS you are trying to create - there are some which are NOT ... > Microsoft Active Directory - Exchange Extensions ... I have also ran the LDIFDE Command Line to create a dump file of all ... I used the method to generate and output a CSV file with proxy ...
      (microsoft.public.windows.server.sbs)
    • Re: iptables transparent proxy
      ... >> forwarding those which are actually new requests from the proxy? ... > - bind the proxy to a specific ip, ... destination port 80 from the box on which the proxy is running to be ...
      (comp.os.linux.networking)
    • Re: iptables transparent proxy
      ... > bind the proxy to an alias interface, ...
      (comp.os.linux.networking)
    • RE: Email Address Policy - Exchange 2007
      ... the alias is %m but I never tested it with X500 addresses. ... If it doesn't work you can add the address directly to the proxy addresses ... # connect to the mailbox to read the proxy addresses ... for CN=USERNAME - how do I enter that for the policy? ...
      (microsoft.public.exchange.admin)