Help - Search - Members - Calendar
Full Version: Suqid [thanx] Iptables [question]
Linuxhelp > Support > Technical Support
Robert83
Hi,

As you can see I managed to create my very first transparent proxy,dns [thanx to hughesjr,duende], it almost worked correctly at first, but I forgot that I needed to add http_access allow ip_adress1 ,...but eventualy I did it, thank you, thank you smile.gif smile.gif smile.gif

But unfortunately, as these things go, I made a mistake somewhere, I spent 1-2hrs trying to see what my error is,...but no success, the thing is , that I'm in 192.168.0.x , the gateway 192.168.0.250, dns 192.168.0.250 and the proxy connects to the firewall with eth3 192.168.10.2->192.168.10.1 , I can ping 192.168.10.1 from the proxy server, but I can't ping 192.168.10.1 from 192.168.0.x.

Here is how my iptables looks like for the proxy server, please have a look, maybe you'll see what I missed....
eth0,1,2 internal eth3 is connected to firewall, as mentioned before I can ping the firewall from the proxy server, so this should be a problem in this iptables configuration below, please help...

iptables -A FORWARD -i eth0 -o eth3 -j ACCEPT
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth3 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth3 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth3 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 0/0 -d 0/0 -j DROP
iptables -A INPUT -i eth3 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -j DROP
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
iptables -A POSTROUTING -t nat -s 192.168.1.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
iptables -A POSTROUTING -t nat -s 192.168.2.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2

Sincerely
Robert B
Robert83
Hi,

I'm sorry that I post this again,but please have a look at this, any ideas?


Sincerely
Robert B
hughesjr
I don't know what is wrong, but I think you only need one postrouting statement ... is eth3's IP address 192.168.10.2? If it is, you can take the 3 POSTROUTING rules and replace with this:

-A POSTROUTING -o eth3 -j SNAT --to-source eth3_ip_address
--------------------
Do you have a:

echo "1" > /proc/sys/net/ipv4/ip_forward

somewhere before you start the IPTABLE Rules?
-----------------
I assume you have the chain setup and flushing stuff somewhere that looks similar to this (probably at the top of your firewall script):

CODE
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F

-----------------
Since this is a totally internal firewall/proxy, I recommend the simplest iptables ruleset that will work (no input limiting, no packet dropping, etc.) ... NEVER run an IPTABLES this basic on a real (external) firewall!!!! But see if this works on this proxy server (put only these rules in):

CODE
iptables -A FORWARD -i eth3 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth3 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth3 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth3 -j ACCEPT

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A POSTROUTING -t nat -o eth3 -j SNAT --to-source _eth3_ip_address

(substitute eth3's IP address for _eth3_ip_address)

If that doesn't work (you can replace the last line with this and try it)

iptables -A POSTROUTING -t nat -o eth3 -j MASQUERADE
Robert83
Thank you very much for you're help! smile.gif


Sincerely
Robert B

smile.gif
hughesjr
Your welcome wink.gif ... let me know if that works
Robert83
Thank you, I missed the echo part...


I did one BIG mistake I used my computer with 2 ethernet card one conected to the test proxy, and one to the real,...
and I was in 192.168.0.200 and 192.168.0.201 , and was using 192.168.0.250 for both proxy servers....and I've eventualy
looked at the good proxy , and wanted to go out trough the not properly configured proxy, thank god I found this out in time, otherwise I might have ended up damaging the proxy server ,...phew, I WILL NEVER EVER DO THIS TESTING LIKE THIS...phew


Thank you again,

Sincerely
Robert B
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.