what if, for testing purposes i want only to redirect the traffic from certain ip, say 10.6.2.250
Main Topics
Browse All TopicsI have a fedora firewall for my organization, now I am also setting up a new linux-based box with a proxy/content filter. What I want, is to redirect all outgoing port 80 traffic to get out through the proxy using iptables. Both servers are on the same subnet (the firewall and the new proxy), and both are connected directly to Internet.
All my machines are configured to use the firewall as gateway to the internet.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
First of all, my rules have typo
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -s 10.6.2.250 -j DNAT --to ip.of.the.proxy:80
#if ip.of.the.proxy is accessible via same eth device as ip.of.the.proxy, then one more rule is needed
#unfortunately this will cause proxy to see connection from firewall (instead of real client).
#if it's unacceptable, I propose to create third network, where are only firewall and the proxy
iptables -t NAT POSTROUTING -o eth1 -s 10.6.2.250 -d ip.of.the.proxy -j MASQUERADE
That exactly what You need
ETH_INSIDE=eth1
iptables -t nat -A PREROUTING -i $ETH_INSIDE -p tcp --dport 80 -s 10.6.2.250 -j DNAT --to-destination 10.6.4.235:80
iptables -t nat -A POSTROUTING -o $ETH_INSIDE -s 10.6.0.0/16 -d 10.6.4.235 -j SNAT --to-source 10.6.4.234
but note, that proxy will not see the client's IP, firewall's instead.
Not in this config.
You see CLIENT connects to FW, FW forwards packets to PROXY. But if FW will not change source ip, then PROXY will reply directly to CLIENT. CLIENT will consider that IP spoofing(it sent packet to one ip, but reply come back from another one) and drop it.
Maybe You should do something like
client(10.6.2.250) --- firewall(10.6.4.234 & 192.168.8.234, NAT only to internet) --- internet
|
proxy (192.168.8.235 with static route to 10.0.0.0/8 via 192.168.8.234, no NAT, no ip_forward) --- internet
then it's enough to
ETH_INSIDE=eth1
iptables -t nat -A PREROUTING -i $ETH_INSIDE -p tcp --dport 80 -s 10.6.2.250 -j DNAT --to-destination 192.168.8.235:80
Business Accounts
Answer for Membership
by: shakoush2001Posted on 2008-04-15 at 13:39:46ID: 21362647
iptables -t nat -A PREROUTING -j DNAT -i eth1 -p tcp --dport 443 --to-destination 192.168.0.2:443
change the nic/port/ip accordingly