[fw-wiz] Excluding certain NAT in linux iptables?

From: Greg Spath (gkspath_at_armstrong.com)
Date: 07/01/05

Next message: Alin-Adrian Anton: "Re: [fw-wiz] Host based vs network firewall in datacenter"

Previous message: dmauro_at_cmpprinceton.com: "[fw-wiz] CISCO ROUTER AT THE BORDER"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Fri, 1 Jul 2005 11:44:06 -0400

Hi all,

My first post to the list, let me know if not on topic or if I should go
elsewhere.

Background:
We deploy a linux-based appliance to form branch office IPSec tunnels.
I've recently added a squid proxy to the mix, and want to use it
transparently using iptables REDIRECT.

This is all well and good, but there are certain Internal web server
auth methods (I'm sure you can guess which company) which this will
break (unless I spend far too much time building that configuration
into these squid caches).

So, for this pilot rollout, I want to redirect only stuff destined to
the Internet to the squid cache, and leave stuff that goes through the
tunnels alone.

Here is the line to direct everything (eth1 is my private interface on
the gateway):

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
REDIRECT --to-port 3128

To exclude rfc1918, I did this:
/sbin/iptables -t nat -A PREROUTING -d 192.168.0.0/16 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -d 172.16.0.0/12 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -d 10.0.0.0/8 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
REDIRECT--to-port 3128

Should it be "FORWARD" instead of "ACCEPT?" Is there a better way to do
this? I was unable to find any examples of this situation in any groups
or iptables documentation.

ACCEPT does work, btw. I just want to verify that I'm not doing
something stupid.

Thanks in advance for taking the time to read through this.

-- Greg

-- 
Greg Spath <gkspath@armstrong.com>                        
Infrastructure Security Analyst    
Armstrong World Industries, Inc.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Alin-Adrian Anton: "Re: [fw-wiz] Host based vs network firewall in datacenter"

Previous message: dmauro_at_cmpprinceton.com: "[fw-wiz] CISCO ROUTER AT THE BORDER"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

redirect externe ip to internal ip
... I woulk like to create a rules with iptables to redirect all outgoing ... connection to 209.98.78.99:110 to an internal web server ...
(comp.os.linux.security)
How to redirect web request to internal web server
... i'm trying to redirect the web requests from internet to ... our internal web server, but failed. ... to set the internal web server in the destination sets?? ...
(microsoft.public.isaserver)
Re: How to redirect web request to internal web server
... > i'm trying to redirect the web requests from internet to ... > our internal web server, ... > to set the internal web server in the destination sets?? ...
(microsoft.public.isaserver)