[fw-wiz] Excluding certain NAT in linux iptables?

From: Greg Spath (gkspath_at_armstrong.com)
Date: 07/01/05

  • Next message: Alin-Adrian Anton: "Re: [fw-wiz] Host based vs network firewall in datacenter"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 1 Jul 2005 11:44:06 -0400
    
    

    Hi all,

    My first post to the list, let me know if not on topic or if I should go
    elsewhere.

    Background:
    We deploy a linux-based appliance to form branch office IPSec tunnels.
    I've recently added a squid proxy to the mix, and want to use it
    transparently using iptables REDIRECT.

    This is all well and good, but there are certain Internal web server
    auth methods (I'm sure you can guess which company) which this will
    break (unless I spend far too much time building that configuration
    into these squid caches).

    So, for this pilot rollout, I want to redirect only stuff destined to
    the Internet to the squid cache, and leave stuff that goes through the
    tunnels alone.

    Here is the line to direct everything (eth1 is my private interface on
    the gateway):

    /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
    REDIRECT --to-port 3128

    To exclude rfc1918, I did this:
    /sbin/iptables -t nat -A PREROUTING -d 192.168.0.0/16 -j ACCEPT
    /sbin/iptables -t nat -A PREROUTING -d 172.16.0.0/12 -j ACCEPT
    /sbin/iptables -t nat -A PREROUTING -d 10.0.0.0/8 -j ACCEPT
    /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
    REDIRECT--to-port 3128

    Should it be "FORWARD" instead of "ACCEPT?" Is there a better way to do
    this? I was unable to find any examples of this situation in any groups
    or iptables documentation.

    ACCEPT does work, btw. I just want to verify that I'm not doing
    something stupid.

    Thanks in advance for taking the time to read through this.

    -- Greg

    -- 
    Greg Spath <gkspath@armstrong.com>                        
    Infrastructure Security Analyst    
    Armstrong World Industries, Inc.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Alin-Adrian Anton: "Re: [fw-wiz] Host based vs network firewall in datacenter"

    Relevant Pages