Solved

Linux, Ipchains,Squid. Asking for special rule.

Posted on 2002-04-26
9
270 Views
Last Modified: 2010-03-18
target     prot opt     source                destination           ports
REDIRECT   tcp  ------  192.168.1.0/24     anywhere              any ->   www => squid

MASQ all  ------  192.168.1.0/24     anywhere              n/a

i want 192.168.1.195 going directly with out be forced to use the redirect rule to squid. The short question is how i add the rule that does this.
0
Comment
Question by:DiegoRojas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 6972587
I'm not at all an iptables expert, but I believe that the way to solve the problem is to redirect all except the 1.195 host. Probably something along the lines of:

iptables -t nat -A PREROUTING -s 192.168.1.0/25 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.128/26 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.192 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.193 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.194 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.196 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.197 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.200/29 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.208/28 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.224/27 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80

That should redirect all IP's except 192.168.1.195.
0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6974039
The rules in iptables are applied in order until a ACCEPT, DROP, REJECT or MASQUERADE target is hit.

Put the rule for 192.168.1.195 _before_ the rule for 192.168.1.0/24

0
 

Author Comment

by:DiegoRojas
ID: 6975088
-Jlevie i understand your point but i have more than one hundred hosts so it is not practical.

-MfcRich, yes i understand i need a rule before the general rule, but what is that rule?. I am looking for the syntax something like:

ipchains -A input -p tcp -s 192.168.1.0/24 && != 192.168.1.195/24 -d 0/0 www -j REDIRECT 3128

This means take the network but not the host and apply the rule.

Thanks.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 40

Expert Comment

by:jlevie
ID: 6975163
The rules that I defined above should account for the entire Class C address space. Those netmasks simply reduce the number of statments required to cover the Class C.
0
 
LVL 3

Expert Comment

by:hnminh
ID: 6975246
As MFCRich said, you would need this command:

ipchains -I input 1 -s 192.168.1.195 -d 0/0 -j ACCEPT

or you can rebuild your ipchains by:

$ipchains -F
$ipchains -A input -s 192.168.1.195 -d 0/0 -j ACCEPT
$ipchains -A input -p tcp -s 192.168.1.0/24 -d 0/0 www -j REDIRECT 3128
$ipchains -A forward -s 192.168.1.0/24 -d 0/0 -j MASQ
0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6975457
What hnminh said
0
 

Author Comment

by:DiegoRojas
ID: 6981943
My problem is solved. The line for each host that is working is:

ipchains -A input -p tcp -s 192.168.1.x -d 0/0 www -j REDIRECT 3128

where 254<=x>0, and no rule for 192.168.1.195

i did the rebuild like hnminh suggests with mfcrich but id did not work. Please send me another rule to do it with out create a rule for each host.
0
 
LVL 4

Accepted Solution

by:
MFCRich earned 50 total points
ID: 6982525
ipchains -A input -p tcp -s 192.168.1.195 --dport www -j ACCEPT
ipchains -A input -p tcp -s 192.168.1.0/24 --dport www -j REDIRECT 3128
ipchains -A forward -s 192.168.1.0/24 -j MASQ


NOTE: The rule in the forward chain covers you entire internal network. You may want to refine it if there are some machines you don't want to connect to the net at all
0
 

Expert Comment

by:CleanupPing
ID: 9078503
DiegoRojas:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question