iptables question (was Re: Squid question)

[David A. Bandel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 24 Dec 2003 12:31:44 -0500
Tim Wunder <tim at thewunders.org> wrote:

Tim, let's back up.

What you want:
all local connections going out on port 80 to go first to squid on 3128
which will then send it out port 80

problems:
how will iptables (or any other software for that matter) distinguish
between you going direct on port 80 and squid on port 80?
where does local connection originate?  is there a difference between
that and squid's traffic?

once we know the answers to the above, we can write a rule to select
packets to rewrite.

assuming squid traffic goes out port 80 just like it does from your
browser (which it does), we have no way to distinguish between the two. 
So we have one problem to overcome.  Fortunately, we, squid, and
iptables are all on the same host.  So we need to identify outbound
traffic on port 80 going out eth0 that isn't squid.  How to do?

well, there's a match -m called owner.  So we need to see who's running
squid:  root or squid?  If squid, life becomes easier.  Also , the only
chain we can use -m owner --uid-owner xxx is the OUTPUT chain.

So:
iptables -t nat -I OUTPUT -o eth0 -m owner --uid-owner ! 101 -p tcp
- --dport 80 -j REDIRECT --to-ports 3128
(in the above rule I assumed the UIDfor squid was 101)

note that this rule is fairly specific and so _must_ be the first rule
(hence the -I) or very close to it.

also, ensure you don't have any filter rules which might block the
packets or otherwise terminate chain processing before reaching this
rule.

Use iptables -t nat -L -nv to look at the count (number of packet
matches).

Ciao,

David A. Bandel
- -- 
Focus on the dream, not the competition.
		Nemesis Racing Team motto
GPG key autoresponder:  mailto:david_key at pananix.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/6fKJj31PLQNUbV4RAmBLAKCHuCWpcvxBfA4Luj5VuIc2bX+GRQCeIMz3
TQiManMSFXkelaVwyLDX+rg=
=tZEf
-----END PGP SIGNATURE-----