• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 283
  • Last Modified:

Linux, Ipchains,Squid. Asking for special rule.

target     prot opt     source                destination           ports
REDIRECT   tcp  ------  192.168.1.0/24     anywhere              any ->   www => squid

MASQ all  ------  192.168.1.0/24     anywhere              n/a

i want 192.168.1.195 going directly with out be forced to use the redirect rule to squid. The short question is how i add the rule that does this.
0
DiegoRojas
Asked:
DiegoRojas
  • 3
  • 2
  • 2
  • +2
1 Solution
 
jlevieCommented:
I'm not at all an iptables expert, but I believe that the way to solve the problem is to redirect all except the 1.195 host. Probably something along the lines of:

iptables -t nat -A PREROUTING -s 192.168.1.0/25 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.128/26 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.192 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.193 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.194 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.196 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.197 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.200/29 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.208/28 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.224/27 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80

That should redirect all IP's except 192.168.1.195.
0
 
MFCRichCommented:
The rules in iptables are applied in order until a ACCEPT, DROP, REJECT or MASQUERADE target is hit.

Put the rule for 192.168.1.195 _before_ the rule for 192.168.1.0/24

0
 
DiegoRojasAuthor Commented:
-Jlevie i understand your point but i have more than one hundred hosts so it is not practical.

-MfcRich, yes i understand i need a rule before the general rule, but what is that rule?. I am looking for the syntax something like:

ipchains -A input -p tcp -s 192.168.1.0/24 && != 192.168.1.195/24 -d 0/0 www -j REDIRECT 3128

This means take the network but not the host and apply the rule.

Thanks.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jlevieCommented:
The rules that I defined above should account for the entire Class C address space. Those netmasks simply reduce the number of statments required to cover the Class C.
0
 
hnminhCommented:
As MFCRich said, you would need this command:

ipchains -I input 1 -s 192.168.1.195 -d 0/0 -j ACCEPT

or you can rebuild your ipchains by:

$ipchains -F
$ipchains -A input -s 192.168.1.195 -d 0/0 -j ACCEPT
$ipchains -A input -p tcp -s 192.168.1.0/24 -d 0/0 www -j REDIRECT 3128
$ipchains -A forward -s 192.168.1.0/24 -d 0/0 -j MASQ
0
 
MFCRichCommented:
What hnminh said
0
 
DiegoRojasAuthor Commented:
My problem is solved. The line for each host that is working is:

ipchains -A input -p tcp -s 192.168.1.x -d 0/0 www -j REDIRECT 3128

where 254<=x>0, and no rule for 192.168.1.195

i did the rebuild like hnminh suggests with mfcrich but id did not work. Please send me another rule to do it with out create a rule for each host.
0
 
MFCRichCommented:
ipchains -A input -p tcp -s 192.168.1.195 --dport www -j ACCEPT
ipchains -A input -p tcp -s 192.168.1.0/24 --dport www -j REDIRECT 3128
ipchains -A forward -s 192.168.1.0/24 -j MASQ


NOTE: The rule in the forward chain covers you entire internal network. You may want to refine it if there are some machines you don't want to connect to the net at all
0
 
CleanupPingCommented:
DiegoRojas:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now