iptables question (was Re: Squid question)

Tim Wunder tim
Mon May 17 11:57:17 PDT 2004 

On Wednesday 24 December 2003 12:24 am, someone claiming to be M.W. Chang 
wrote:
> to redirect localhost port 80, try this:
>
> iptables -t nat -A PREROUTING -i lo -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> note the -i is now lo not eth0.

Thanks. Did that after David explained why lo was the correct interface to use 
for the rule. Unfortunately, it didn't work last night, and it still doesn't 
work. 

This is what I've done:
# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# iptables -t nat -A PREROUTING -i lo -p tcp --dport 80 -j REDIRECT --to-port 
3128
# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere           tcp dpt:http redir 
ports 3128

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Nevertheless, configuring the browser for a direct connection to the internet 
bypasses the proxy, sites blocked by squidGuard are no longer blocked and the 
squid log no longer receives entries.

/me is starting to feel dumber and dumber :-(
Perhaps other rules are in the way:
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere           icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state 
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp 
dpt:http
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp 
dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp 
dpt:smtp
REJECT     all  --  anywhere             anywhere           reject-with 
icmp-host-prohibited

Apparently something is still lost on me.
Thanks, 
Tim

-- 
Fedora Core 1, Kernel 2.4.22-1.2129.nptl,  KDE 3.1.4, Xfree86 4.3.0
 09:15:00  up 15 days, 12:04,  1 user,  load average: 0.21, 0.22, 0.10
It's what you learn after you know it all that counts

More information about the Linux-users mailing list