Re: Tunneling server for http and https traffic



On 21 Maj, 16:23, Tauno Voipio <tauno.voi...@xxxxxxxxxxxxx> wrote:
magnus.morab...@xxxxxxxxx wrote:
Hi there,

I have a linux machine which is routed via eth0 to "network A" and via
eth1 to "networkB".

I wish for clients in "network A" to access content on a webserver
located in "network B".

The protocols I wish to support are Http (80) and Https (443).

Firewalls exist between my linux machine and networks A, and between
my linux machine and network B.

I have added networks A and B to my linux machine's routing table and
I can now ping from a machine in network A to the linux machine, and
from the linux machine to the web server on network B.

The firewalls are configured to only accept traffic via port 80 and
443.

So my question is, how do I connect network A and B? I have installed
squid on the linux machine and it is my understanding that if I
configure it as a tunneling server, listening on ports 80 and 443,
that this will achieve what I'm after. Is this correct?

BTW, I am not interested in doing any kind of caching with squid. The
version of squid I have is version 2.5.STABLE.

At the moment the only configuring of squid that I have done is to
have it listen on port 80. When I telnet to the linux machine on port
80 from a machine in network A, I am receiving a squid generated web
page.

Any advice or suggestions are welcome,

Thanks for your help,

Barry

You can do the requested functions without Squid by
using iptables to allow IP forwarding for TCP ports
80 and 443 only and disallowing others. You have to
remember to turn IP forwarding on after setting up
the firewall rules.

Documentation for setting up the filters are to be
found at <http://www.netfilter.org/>. There is more
than you'll need.

--

Tauno Voipio
tauno voipio (at) iki fi

Thanks very much for that tip! Would the following code archive what
I'm after, ignoring the fact that it will allow all tcp ports?

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from network B
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from network A
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Don't forward from the network b to network a
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
.



Relevant Pages

  • troubles defining firewall policies
    ... restricting high ports. ... I use RH 7.3 and my eth0 interfase is part of the class C network ... use the linux machine as their gateways so all the network traffic is ... Grant incoming connections for every IP of my network ...
    (RedHat)
  • troubles defining firewall policies
    ... restricting high ports. ... I use RH 7.3 and my eth0 interfase is part of the class C network ... use the linux machine as their gateways so all the network traffic is ... Grant incoming connections for every IP of my network ...
    (RedHat)
  • RE: IPTables to restrict an IP address to certain ports
    ... Sorry for not being more exact. ... computer on the network has access to. ... I want to restrict, in IPTables, so that computer A can print on computer B ... IPTables to restrict an IP address to certain ports ...
    (Fedora)
  • Re: restrict implicit binding to addresses
    ... block connections to restricted ports from untrusted source addresses. ... buggy, so explicit binding works, but I'd like to have some ... Squid shall listen only to the internal network, ... Using a interface based iptables rule it's easy to block all ...
    (comp.os.linux.networking)
  • Re: Tunneling server for http and https traffic
    ... I have a linux machine which is routed via eth0 to "network A" and via ... I am not interested in doing any kind of caching with squid. ... using iptables to allow IP forwarding for TCP ports ...
    (comp.os.linux.networking)