[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Linux, Ipchains,Squid. Asking for special rule.

Posted on 2002-04-26
9
Medium Priority
?
282 Views
Last Modified: 2010-03-18
target     prot opt     source                destination           ports
REDIRECT   tcp  ------  192.168.1.0/24     anywhere              any ->   www => squid

MASQ all  ------  192.168.1.0/24     anywhere              n/a

i want 192.168.1.195 going directly with out be forced to use the redirect rule to squid. The short question is how i add the rule that does this.
0
Comment
Question by:DiegoRojas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 6972587
I'm not at all an iptables expert, but I believe that the way to solve the problem is to redirect all except the 1.195 host. Probably something along the lines of:

iptables -t nat -A PREROUTING -s 192.168.1.0/25 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.128/26 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.192 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.193 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.194 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.196 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.197 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.200/29 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.208/28 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.224/27 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80

That should redirect all IP's except 192.168.1.195.
0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6974039
The rules in iptables are applied in order until a ACCEPT, DROP, REJECT or MASQUERADE target is hit.

Put the rule for 192.168.1.195 _before_ the rule for 192.168.1.0/24

0
 

Author Comment

by:DiegoRojas
ID: 6975088
-Jlevie i understand your point but i have more than one hundred hosts so it is not practical.

-MfcRich, yes i understand i need a rule before the general rule, but what is that rule?. I am looking for the syntax something like:

ipchains -A input -p tcp -s 192.168.1.0/24 && != 192.168.1.195/24 -d 0/0 www -j REDIRECT 3128

This means take the network but not the host and apply the rule.

Thanks.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 40

Expert Comment

by:jlevie
ID: 6975163
The rules that I defined above should account for the entire Class C address space. Those netmasks simply reduce the number of statments required to cover the Class C.
0
 
LVL 3

Expert Comment

by:hnminh
ID: 6975246
As MFCRich said, you would need this command:

ipchains -I input 1 -s 192.168.1.195 -d 0/0 -j ACCEPT

or you can rebuild your ipchains by:

$ipchains -F
$ipchains -A input -s 192.168.1.195 -d 0/0 -j ACCEPT
$ipchains -A input -p tcp -s 192.168.1.0/24 -d 0/0 www -j REDIRECT 3128
$ipchains -A forward -s 192.168.1.0/24 -d 0/0 -j MASQ
0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6975457
What hnminh said
0
 

Author Comment

by:DiegoRojas
ID: 6981943
My problem is solved. The line for each host that is working is:

ipchains -A input -p tcp -s 192.168.1.x -d 0/0 www -j REDIRECT 3128

where 254<=x>0, and no rule for 192.168.1.195

i did the rebuild like hnminh suggests with mfcrich but id did not work. Please send me another rule to do it with out create a rule for each host.
0
 
LVL 4

Accepted Solution

by:
MFCRich earned 150 total points
ID: 6982525
ipchains -A input -p tcp -s 192.168.1.195 --dport www -j ACCEPT
ipchains -A input -p tcp -s 192.168.1.0/24 --dport www -j REDIRECT 3128
ipchains -A forward -s 192.168.1.0/24 -j MASQ


NOTE: The rule in the forward chain covers you entire internal network. You may want to refine it if there are some machines you don't want to connect to the net at all
0
 

Expert Comment

by:CleanupPing
ID: 9078503
DiegoRojas:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question