iptables question (was Re: Squid question)

[Tim Wunder]

OK. The result of the iptables command that Chang provided was that incoming 
http requests from the 'net would fall silent. There was no difference to the 
behavior when trying to access the 'net from the machine on which the proxy 
server and firewall are running.

Upon reading further, it seems that because the tcp request is coming from the 
same machine as the firewall, DNAT should be used. So, I changed the command 
to 
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 
192.168.1.2:3128

Unfortunately, that proved to be a dead end as well. My http pages continued 
to get served to the outside world, but http requests originating on the 
server still do not get forwarded thru the proxy.

So, I continued reading. Eventually, I came upon a page 
(http://groups.yahoo.com/group/jetty-support/message/3076) that said, "I 
spent many happy hours wondering why my test browser (on the same box as the 
server) could not see the redirected jetty service on port 80.

When you redirect ports using iptables, the port redirection works only on 
inbound traffic from *other* hosts."

Now that comment was in reference to something called "jetty" and not squid, 
but is what it says true? Can I not redirect port 80 to 3128 using iptables 
on the server on which squid is running?

It appears that I'm failing to grasp something :-(

Thanks, 
Tim

On Tuesday 23 December 2003 9:31 am, someone claiming to be Tim Wunder wrote:
> This doesn't seem to work for me.
> I did:
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> However, if I change my browser settings to use a direct connection to the
> internet, the proxy server is bypassed.
>
> # iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> REDIRECT   tcp  --  anywhere             anywhere           tcp dpt:http
> redir ports 3128
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> On Monday 22 December 2003 11:42 pm, someone claiming to be M.W. Chang 
wrote:
> > just use iptables to redirect port 80 to 3128 will do:
> >
> > iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT
> > --to-port 3128
> >
> > where $INTIF is the internal interface.
> >
> > > Doesn't look like I can use transparent proxy with the squid package
> > > provided by Fedora. At least the instructions I found at tldp didn't
> > > work. :-(

-- 
Fedora Core 1, Kernel 2.4.22-1.2129.nptl,  KDE 3.1.4, Xfree86 4.3.0
 16:55:00  up 14 days, 19:44,  3 users,  load average: 0.63, 0.44, 0.26
It's what you learn after you know it all that counts