iptable for single nic
rob0 at gmx.co.uk
Mon Jul 25 06:31:20 CEST 2005
john decot wrote:
> i am facing a problem in iptables as follows:
> i have single nic which ip is eth0= x.x.x.x(public_ip)
> alias is eth0:1=y.y.y.y( private_ip)
> the proxy works when ip of server and port 3128 at lan connection
> is configured at client side(windows os).
> But doesn't work without that whenever i flow traffic to proxy
> server, again i have used ip tables as:
> iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j REDIRECT 3128
I suppose not.
This target is only valid in the nat table, in the PRE-
ROUTING and OUTPUT chains, and user-defined chains which
are only called from those chains. It alters the destina-
tion IP address to send the packet to the machine itself
(locally-generated packets are mapped to the 127.0.0.1
address). It takes one option:
This specifies a destination port or range of ports
to use: without this, the destination port is never
altered. This is only valid if the rule also spec-
ifies -p tcp or -p udp.
Did you try it with "--to-ports 3128"? I have a couple of transparent
proxy sites, and that's what works for me.
Also note that your -i eth0 doesn't do much. It eliminates localhost,
but that's all. You might also want "-s y.y.y.0/24" (assuming the LAN on
a /24 RFC 1918 network) to restrict to local clients only. Wasn't this
in the HOWTO you read?
Another comment is that you'd be a lot better off with a separate NIC
for each interface. It's a lot stronger to be able to filter by
interface, rather than by source or destination IP. Think: spoofed
packets coming in from the outside.
> with above it doesn't work then i tried following
> iptables -A PREROUTING -t nat -p tcp --dport 80 -i eth0 -j DNAT $public_ip or $private_ip:3128
REDIRECT is a special type of DNAT. You can't DNAT to the iptables
machine's own IP.
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
More information about the netfilter