Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 520
  • Last Modified:

iptables redirection+proxying

Hi,
i have the following configuration,
- OS: RedHat 9
- Firewall (Checkpoint) (internal interface connected to switch and external to internet)
- Squid having one interface and connected to firewall. (thru switch)
- Clients connected thru switch (LAN) (the same switch to which checkpoint and squid are connected)

Now the situation is that my clients can do web browsing thru squid if they directly access the checkpoint they cannot browse then. only connections proxied thru squid could be entertained by checkpoint. Now the problem is that clients having mail clients ( Mozilla Thunderbird ) cannot access the mail server as squid does not support pop and smtp proxying. Therefore i used 'rinetd' which redirects the pop and smtp connections from squid to firewall and thus it is entertained. But i want to have such behavious from iptables i.e. i have implemented some iptable rules on my squid proxy that whenever it gets the pop or smtp requests they should be redirected to external server. How is that possible. I m currently using following rules (192.168.1.102 is squid)

iptables -t nat -A PREROUTING -s 192.168.1.0/24 -d 192.168.1.102 -p tcp --dport 25 -j DNAT --to-destination externalIP:25

iptables -A FORWARD -p tcp --dport 25 -d externalIP -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d externalIP -p tcp --dport 25 -j SNAT --to-source 192.168.1.102

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT

Thanks
0
maxi82
Asked:
maxi82
  • 6
  • 4
1 Solution
 
marxyCommented:
That's seems like a kind of overkill of configuration.
Usually you need no redirects.
Just SNAT port 25 packets on the firewall (I expect that firewall PC is you defualt gateway for internal PCs).
So, use just
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 25 -j SNAT --to externalIP
0
 
maxi82Author Commented:
My squid's gateway is set to checkpoint
My clients gateway is set to squid
Clients are blocked on checkpoint.
For clarification checkpoint is dedicated hardware based firewall and i want to run iptables on squid.


Thanks

0
 
marxyCommented:
Then do on squid
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d !192.168.1.102 -p tcp -m tcp --dport 25 -j SNAT --to external_squid_ip
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
maxi82Author Commented:
marxy; u r not geting my point my squidd is connected to the checkpoint and i want to proxy smtp from squid machine and the squid machine has only one interface card. The rule u mentioned still not works for me.


Thanks
0
 
marxyCommented:
ok. draw the scheme.

like this

pc1---\
pc2---+----squid---checkpont
pc3---/
0
 
maxi82Author Commented:
0
 
maxi82Author Commented:
The firewall shhown in red is checkpoint and clients are the systems having gateway set to the squid, while squid's gateway is set to checkpoint (red firewall).
0
 
marxyCommented:
>>>i have implemented some iptable rules on my squid proxy that whenever it gets the pop or smtp requests they should be redirected to external serve
1. Look here. You said you have default gateway for your pcs - squid.
2. Then, the thing i think you have is that checkpoint is the gateway for squid, isn't it?
3. You want to use squid PC to masquerade internal PCs? No problem.

Make for clear.
/etc/init.d/iptables stop
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d !192.168.1.102 -p tcp -m tcp --dport 25 -j SNAT --to 192.168.1.102

Let see what the packets go.
For example, pc1 (f.e., 192.168.1.1) send port25 packet to host saying.... 1.1.1.1. It goes to squid while deafult gateway for PCs is squid.
Squid make SNAT (masquerade) this packet and reset source ip address to 192.168.1.102 (as it has set in our SNAT rule).
Then squid route this packet to 1.1.1.1 thru checkpoint as it is its default gateway.
That's all.

0
 
maxi82Author Commented:
This makes sense i will test the rule on Monday (when i will be in my office) and will let u know.

Thanks
0
 
maxi82Author Commented:
/etc/init.d/iptables stop
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d !192.168.1.102 -p tcp -m tcp --dport 22 -j SNAT --to 192.168.1.102

When i changed the above rule for ssh it does not worked. Do i have to change other things in it,
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now