DiegoRojas
asked on
Linux, Ipchains,Squid. Asking for special rule.
target prot opt source destination ports
REDIRECT tcp ------ 192.168.1.0/24 anywhere any -> www => squid
MASQ all ------ 192.168.1.0/24 anywhere n/a
i want 192.168.1.195 going directly with out be forced to use the redirect rule to squid. The short question is how i add the rule that does this.
REDIRECT tcp ------ 192.168.1.0/24 anywhere any -> www => squid
MASQ all ------ 192.168.1.0/24 anywhere n/a
i want 192.168.1.195 going directly with out be forced to use the redirect rule to squid. The short question is how i add the rule that does this.
The rules in iptables are applied in order until a ACCEPT, DROP, REJECT or MASQUERADE target is hit.
Put the rule for 192.168.1.195 _before_ the rule for 192.168.1.0/24
Put the rule for 192.168.1.195 _before_ the rule for 192.168.1.0/24
ASKER
-Jlevie i understand your point but i have more than one hundred hosts so it is not practical.
-MfcRich, yes i understand i need a rule before the general rule, but what is that rule?. I am looking for the syntax something like:
ipchains -A input -p tcp -s 192.168.1.0/24 && != 192.168.1.195/24 -d 0/0 www -j REDIRECT 3128
This means take the network but not the host and apply the rule.
Thanks.
-MfcRich, yes i understand i need a rule before the general rule, but what is that rule?. I am looking for the syntax something like:
ipchains -A input -p tcp -s 192.168.1.0/24 && != 192.168.1.195/24 -d 0/0 www -j REDIRECT 3128
This means take the network but not the host and apply the rule.
Thanks.
The rules that I defined above should account for the entire Class C address space. Those netmasks simply reduce the number of statments required to cover the Class C.
As MFCRich said, you would need this command:
ipchains -I input 1 -s 192.168.1.195 -d 0/0 -j ACCEPT
or you can rebuild your ipchains by:
$ipchains -F
$ipchains -A input -s 192.168.1.195 -d 0/0 -j ACCEPT
$ipchains -A input -p tcp -s 192.168.1.0/24 -d 0/0 www -j REDIRECT 3128
$ipchains -A forward -s 192.168.1.0/24 -d 0/0 -j MASQ
ipchains -I input 1 -s 192.168.1.195 -d 0/0 -j ACCEPT
or you can rebuild your ipchains by:
$ipchains -F
$ipchains -A input -s 192.168.1.195 -d 0/0 -j ACCEPT
$ipchains -A input -p tcp -s 192.168.1.0/24 -d 0/0 www -j REDIRECT 3128
$ipchains -A forward -s 192.168.1.0/24 -d 0/0 -j MASQ
What hnminh said
ASKER
My problem is solved. The line for each host that is working is:
ipchains -A input -p tcp -s 192.168.1.x -d 0/0 www -j REDIRECT 3128
where 254<=x>0, and no rule for 192.168.1.195
i did the rebuild like hnminh suggests with mfcrich but id did not work. Please send me another rule to do it with out create a rule for each host.
ipchains -A input -p tcp -s 192.168.1.x -d 0/0 www -j REDIRECT 3128
where 254<=x>0, and no rule for 192.168.1.195
i did the rebuild like hnminh suggests with mfcrich but id did not work. Please send me another rule to do it with out create a rule for each host.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
DiegoRojas:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
iptables -t nat -A PREROUTING -s 192.168.1.0/25 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.128/26 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.192 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.193 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.194 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.196 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.197 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.200/29 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.208/28 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.224/27 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
That should redirect all IP's except 192.168.1.195.