router/nat with only one NIC

Tim Wunder tim
Mon Sep 27 17:43:53 PDT 2004 

On Sunday 26 September 2004 1:59 pm, someone claiming to be David Bandel 
wrote:
> On Sun, 26 Sep 2004 09:55:25 -0400, Tim Wunder <tim at thewunders.org> wrote:
<snip>
> >
> > So... the question remains...
> > How do I make port 80 requests from 192.168.1.0/24 go through 192.168.1.2
> > port 3129? Additionally, how do I make everything look like it's coming
> > from 192.168.1.2 to the router at 192.168.1.254.
>
> On .254 just block all port 80 requests that _don't_ come from 1.2,
> and on 1.2 reject all requests on port 80 incoming except from .254.
>
> > This is my current network config:
> > # ifconfig
> > eth0      Link encap:Ethernet  HWaddr 00:60:97:29:68:98
> >           inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
> >           inet6 addr: fe80::260:97ff:fe29:6898/64 Scope:Link
> >           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >           RX packets:661095 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:663681 errors:0 dropped:0 overruns:0 carrier:4
> >           collisions:54 txqueuelen:1000
> >           RX bytes:364144548 (347.2 Mb)  TX bytes:284783379 (271.5 Mb)
> >           Interrupt:11 Base address:0xe400
> >
> > eth0:1    Link encap:Ethernet  HWaddr 00:60:97:29:68:98
> >           inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
> >           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >           RX packets:661095 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:663681 errors:0 dropped:0 overruns:0 carrier:4
> >           collisions:54 txqueuelen:1000
> >           RX bytes:364144548 (347.2 Mb)  TX bytes:284783379 (271.5 Mb)
> >           Interrupt:11 Base address:0xe400
> >
> > # route -n
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref    Use
> > Iface 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0     
> >   0 eth0 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0  
> >      0 eth0 0.0.0.0         192.168.1.254   0.0.0.0         UG    0     
> > 0        0 eth0
> >
> > # cat /proc/sys/net/ipv4/conf/eth0/send_redirects
> > 0
> > # cat  /proc/sys/net/ipv4/ip_forward
> > 1
> >
> > # iptables -L -t nat
> > Chain PREROUTING (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain POSTROUTING (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> > REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http
> > OWNERGID match GID1 redir ports 3129
> > REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http
> > OWNERGID match GID2 redir ports 3129
> > REDIRECT   tcp  --  anywhere             anywhere            tcp
> > dpt:squid OWNER GID match GID1 redir ports 3129
> > REDIRECT   tcp  --  anywhere             anywhere            tcp
> > dpt:squid OWNER GID match GID2 redir ports 3129
>
> I think this is not exactly what you want.  Looks like you're
> redirecting all squid contacts on all interfaces to 3129.  But Dan's
> Guardian has to talk (I believe on localhost, 127.0.0.1) to 3128, so
> you don't want to redir that.
>

These are the rules that I currently use for transparent proxy from the only, 
full time internet connected PC in the house, the same PC that runs 
squid/dansguardian. After many attempts, these are the rules I came up with 
that finally worked.

I can't see how they'd be a problem, they are only only supposed to be 
followed for the 2 specified group IDs. I'll try some more stuff later 
tonight to see if I can figure this out...


> > For added edification, my laptop is getting IP address 192.168.1.110 from
> > the dhcp server.
> > # ifconfig
> > eth0      Link encap:Ethernet  HWaddr 00:0C:F1:0B:17:19
> >           inet addr:192.168.1.110  Bcast:192.168.1.255 
> > Mask:255.255.255.0 inet6 addr: fe80::20c:f1ff:fe0b:1719/64 Scope:Link
> >           UP BROADCAST MULTICAST  MTU:1500  Metric:1
> >           RX packets:404 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:429 errors:0 dropped:0 overruns:0 carrier:1
> >           collisions:0 txqueuelen:1000
> >           RX bytes:48391 (47.2 Kb)  TX bytes:36935 (36.0 Kb)
> >           Interrupt:11 Base address:0x1000 Memory:c0204000-c0204fff
> >
> > # route -n
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref    Use
> > Iface 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0     
> >   0 eth0 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0  
> >      0 eth0 0.0.0.0         192.168.1.1     0.0.0.0         UG    0     
> > 0        0 eth0
> >
> > And pings work for 192.168.1.1, 192.168.1.2 and 68.34.76.5 (ISP's DNS
> > server) from the laptop.
> >
> > What doesn't work is Internet (DNS, actually). :-(
>
> If your Internet connected system is one of those small commercial
> NAT/Firewall boxes, you might need to specify it as your DNS server.
>

The NAT/Firewall is a Linksys cable router, which, I think, actually runs 
linux. (Didn't they get into some sort of trouble a while back?) I tried 
specifying the router's IP address, 192.168.1.254, as the DNS server and 
nothing changes. 

FWIW, I *can* connect my laptop to the internet by manually assigning it an IP 
address the router lets out and using 192.168.1.254 as the gateway and using 
the same nameserver, 68.34.76.5/6, entries that get configured via DHCP, and 
DNS works. But when I set the gateway to 192.168.1.1 (eth0:1 on the 
proxy/squid box), I can get pings to work, but DNS won't.

I think this simply won't work with a single ethernet card. I'll stick another 
card in the box and see if I can get it to work...

Thanks, 
Tim

-- 
Fedora Core 2, Kernel 2.6.7-1.494.2.2,  KDE 3.3.0, Xorg 6.7.0
 20:20:00 up 8 days, 10:27, 13 users,  load average: 0.00, 0.12, 0.28
It's what you learn after you know it all that counts

More information about the Linux-users mailing list