asked on

Linux, Ipchains,Squid. Asking for special rule.

target prot opt source destination ports
REDIRECT tcp ------ 192.168.1.0/24 anywhere any -> www => squid

MASQ all ------ 192.168.1.0/24 anywhere n/a

i want 192.168.1.195 going directly with out be forced to use the redirect rule to squid. The short question is how i add the rule that does this.

jlevie

I'm not at all an iptables expert, but I believe that the way to solve the problem is to redirect all except the 1.195 host. Probably something along the lines of:

iptables -t nat -A PREROUTING -s 192.168.1.0/25 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.128/26 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.192 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.193 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.194 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.196 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.197 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.200/29 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.208/28 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80
iptables -t nat -A PREROUTING -s 192.168.1.224/27 -p tcp --dport 80 -j DNAT --to 192.168.1.?:80

That should redirect all IP's except 192.168.1.195.

MFCRich

The rules in iptables are applied in order until a ACCEPT, DROP, REJECT or MASQUERADE target is hit.

Put the rule for 192.168.1.195 _before_ the rule for 192.168.1.0/24

DiegoRojas

ASKER

-Jlevie i understand your point but i have more than one hundred hosts so it is not practical.

-MfcRich, yes i understand i need a rule before the general rule, but what is that rule?. I am looking for the syntax something like:

ipchains -A input -p tcp -s 192.168.1.0/24 && != 192.168.1.195/24 -d 0/0 www -j REDIRECT 3128

This means take the network but not the host and apply the rule.

Thanks.

jlevie

The rules that I defined above should account for the entire Class C address space. Those netmasks simply reduce the number of statments required to cover the Class C.

hnminh

As MFCRich said, you would need this command:

ipchains -I input 1 -s 192.168.1.195 -d 0/0 -j ACCEPT

or you can rebuild your ipchains by:

$ipchains -F
$ipchains -A input -s 192.168.1.195 -d 0/0 -j ACCEPT
$ipchains -A input -p tcp -s 192.168.1.0/24 -d 0/0 www -j REDIRECT 3128
$ipchains -A forward -s 192.168.1.0/24 -d 0/0 -j MASQ

MFCRich

What hnminh said

DiegoRojas

ASKER

My problem is solved. The line for each host that is working is:

ipchains -A input -p tcp -s 192.168.1.x -d 0/0 www -j REDIRECT 3128

where 254<=x>0, and no rule for 192.168.1.195

i did the rebuild like hnminh suggests with mfcrich but id did not work. Please send me another rule to do it with out create a rule for each host.

ASKER CERTIFIED SOLUTION

MFCRich

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

CleanupPing

DiegoRojas:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.