iptables question (was Re: Squid question)

David A. Bandel david
Mon May 17 11:57:16 PDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 23 Dec 2003 17:16:41 -0500
Tim Wunder <tim at thewunders.org> wrote:

> OK. The result of the iptables command that Chang provided was that
> incoming http requests from the 'net would fall silent. There was no
> difference to the behavior when trying to access the 'net from the
> machine on which the proxy server and firewall are running.
> 
> Upon reading further, it seems that because the tcp request is coming
> from the same machine as the firewall, DNAT should be used. So, I
> changed the command to 
> #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 
> 192.168.1.2:3128
> 
> Unfortunately, that proved to be a dead end as well. My http pages
> continued to get served to the outside world, but http requests
> originating on the server still do not get forwarded thru the proxy.
> 
> So, I continued reading. Eventually, I came upon a page 
> (http://groups.yahoo.com/group/jetty-support/message/3076) that said,
> "I spent many happy hours wondering why my test browser (on the same
> box as the server) could not see the redirected jetty service on port
> 80.

Not true.  See why below.

> 
> When you redirect ports using iptables, the port redirection works
> only on inbound traffic from *other* hosts."

*IF* you've stipulated eth0 or eth1, etc. as the inbound interface!

> 
> Now that comment was in reference to something called "jetty" and not
> squid, but is what it says true? Can I not redirect port 80 to 3128
> using iptables on the server on which squid is running?
> 
> It appears that I'm failing to grasp something :-(

Yes, you're failing to grasp _where_ the request is originating from. 
Requests from the same system always originate from 127.0.0.1 (lo).  NOT
from eth0 or eth1. To see this in action, try running tcpdump on lo.
Traffic is only seen as originating from eth0 _after_ it *leaves* the
system and only by other systems.

Understanding how things work.

Ciao,

David A. Bandel
- -- 
Focus on the dream, not the competition.
		Nemesis Racing Team motto
GPG key autoresponder:  mailto:david_key at pananix.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/6Oawj31PLQNUbV4RAnDTAJkBImOR39MPeC9iXAug4sOeKckspACeMdSc
m/arj9nqM5pnarQhkD3NCCM=
=tNdq
-----END PGP SIGNATURE-----

More information about the Linux-users mailing list