Solved

Linux, Ipchains,Squid. Asking for special rule.

Posted on 2002-04-26
9
249 Views
Last Modified: 2010-03-18
target     prot opt     source                destination           ports
REDIRECT   tcp  ------  192.168.1.0/24     anywhere              any ->   www => squid

MASQ all  ------  192.168.1.0/24     anywhere              n/a

i want 192.168.1.195 going directly with out be forced to use the redirect rule to squid. The short question is how i add the rule that does this.
0
Comment
Question by:DiegoRojas
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 6972587
I'm not at all an iptables expert, but I believe that the way to solve the problem is to redirect all except the 1.195 host. Probably something along the lines of:

iptables -t nat -A PREROUTING -s 192.168.1.0/25 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.128/26 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.192 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.193 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.194 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.196 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.197 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.200/29 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.208/28 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.224/27 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80

That should redirect all IP's except 192.168.1.195.
0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6974039
The rules in iptables are applied in order until a ACCEPT, DROP, REJECT or MASQUERADE target is hit.

Put the rule for 192.168.1.195 _before_ the rule for 192.168.1.0/24

0
 

Author Comment

by:DiegoRojas
ID: 6975088
-Jlevie i understand your point but i have more than one hundred hosts so it is not practical.

-MfcRich, yes i understand i need a rule before the general rule, but what is that rule?. I am looking for the syntax something like:

ipchains -A input -p tcp -s 192.168.1.0/24 && != 192.168.1.195/24 -d 0/0 www -j REDIRECT 3128

This means take the network but not the host and apply the rule.

Thanks.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6975163
The rules that I defined above should account for the entire Class C address space. Those netmasks simply reduce the number of statments required to cover the Class C.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 3

Expert Comment

by:hnminh
ID: 6975246
As MFCRich said, you would need this command:

ipchains -I input 1 -s 192.168.1.195 -d 0/0 -j ACCEPT

or you can rebuild your ipchains by:

$ipchains -F
$ipchains -A input -s 192.168.1.195 -d 0/0 -j ACCEPT
$ipchains -A input -p tcp -s 192.168.1.0/24 -d 0/0 www -j REDIRECT 3128
$ipchains -A forward -s 192.168.1.0/24 -d 0/0 -j MASQ
0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6975457
What hnminh said
0
 

Author Comment

by:DiegoRojas
ID: 6981943
My problem is solved. The line for each host that is working is:

ipchains -A input -p tcp -s 192.168.1.x -d 0/0 www -j REDIRECT 3128

where 254<=x>0, and no rule for 192.168.1.195

i did the rebuild like hnminh suggests with mfcrich but id did not work. Please send me another rule to do it with out create a rule for each host.
0
 
LVL 4

Accepted Solution

by:
MFCRich earned 50 total points
ID: 6982525
ipchains -A input -p tcp -s 192.168.1.195 --dport www -j ACCEPT
ipchains -A input -p tcp -s 192.168.1.0/24 --dport www -j REDIRECT 3128
ipchains -A forward -s 192.168.1.0/24 -j MASQ


NOTE: The rule in the forward chain covers you entire internal network. You may want to refine it if there are some machines you don't want to connect to the net at all
0
 

Expert Comment

by:CleanupPing
ID: 9078503
DiegoRojas:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now