Firewall Wizards mailing list archives
Excluding certain NAT in linux iptables?
From: Greg Spath <gkspath () armstrong com>
Date: Fri, 1 Jul 2005 11:44:06 -0400
Hi all, My first post to the list, let me know if not on topic or if I should go elsewhere. Background: We deploy a linux-based appliance to form branch office IPSec tunnels. I've recently added a squid proxy to the mix, and want to use it transparently using iptables REDIRECT. This is all well and good, but there are certain Internal web server auth methods (I'm sure you can guess which company) which this will break (unless I spend far too much time building that configuration into these squid caches). So, for this pilot rollout, I want to redirect only stuff destined to the Internet to the squid cache, and leave stuff that goes through the tunnels alone. Here is the line to direct everything (eth1 is my private interface on the gateway): /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 To exclude rfc1918, I did this: /sbin/iptables -t nat -A PREROUTING -d 192.168.0.0/16 -j ACCEPT /sbin/iptables -t nat -A PREROUTING -d 172.16.0.0/12 -j ACCEPT /sbin/iptables -t nat -A PREROUTING -d 10.0.0.0/8 -j ACCEPT /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT--to-port 3128 Should it be "FORWARD" instead of "ACCEPT?" Is there a better way to do this? I was unable to find any examples of this situation in any groups or iptables documentation. ACCEPT does work, btw. I just want to verify that I'm not doing something stupid. Thanks in advance for taking the time to read through this. -- Greg -- Greg Spath <gkspath () armstrong com> Infrastructure Security Analyst Armstrong World Industries, Inc. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Excluding certain NAT in linux iptables? Greg Spath (Jul 05)