iptable for single nic

/dev/rob0 rob0 at gmx.co.uk
Mon Jul 25 06:31:20 CEST 2005


john decot wrote:
>  i am facing a problem in iptables as follows:
>   i have  single nic which ip is eth0= x.x.x.x(public_ip)
>     alias is  eth0:1=y.y.y.y( private_ip)
> the proxy works when ip of server and port 3128 at lan connection 
> is configured at client side(windows os).
> But doesn't work without that whenever i flow traffic to proxy 
> server, again i have used ip tables as:
>  
> iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j REDIRECT 3128

I suppose not.

    REDIRECT
        This  target  is  only valid in the nat table, in the PRE­-
        ROUTING and OUTPUT chains, and user-defined  chains  which
        are only called from those chains.  It alters the destina­-
        tion IP address to send the packet to the  machine  itself
        (locally-generated  packets  are  mapped  to the 127.0.0.1
        address).  It takes one option:

        --to-ports port[-port]
               This specifies a destination port or range of ports
               to use: without this, the destination port is never
               altered.  This is only valid if the rule also spec­-
               ifies -p tcp or -p udp.

Did you try it with "--to-ports 3128"? I have a couple of transparent 
proxy sites, and that's what works for me.

Also note that your -i eth0 doesn't do much. It eliminates localhost, 
but that's all. You might also want "-s y.y.y.0/24" (assuming the LAN on 
a /24 RFC 1918 network) to restrict to local clients only. Wasn't this 
in the HOWTO you read?

Another comment is that you'd be a lot better off with a separate NIC 
for each interface. It's a lot stronger to be able to filter by 
interface, rather than by source or destination IP. Think: spoofed 
packets coming in from the outside.

> with above it doesn't work then i tried following
> 
> iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j DNAT  $public_ip or $private_ip:3128

REDIRECT is a special type of DNAT. You can't DNAT to the iptables 
machine's own IP.
-- 
     mail to this address is discarded unless "/dev/rob0"
     or "not-spam" is in Subject: header



More information about the netfilter mailing list