?
Solved

port forwarding not working

Posted on 2006-06-19
13
Medium Priority
?
2,984 Views
Last Modified: 2012-08-13
hello,
Im running fedora core 4 box with iptables, ebtables, and squid. Im trying to create a transparent proxy/ webcaching server and cannot get the damn box to forward port 80 requests to squids default port 3128. Ive tried everything and nothing seems to work. I have created a script that i run when i want to enable forwarding so maybe you guys can find something i am missing. i can browse the web if i configure the web browser to use specfic proxy and port 3128, so i no that squid is configured correctly. Im also a little confused on if i need to use ebtables or not. I have seen on some how-tos that with linux kernel 2.6 ebtables is not needed because you can simply use iptables. I have listed below some of the sites i used and also the script i run to set up the box.
iptables version - iptables v1.3.5
ebtables version - ebtables v2.0.8-rc2 (March 2006)
--------------------------test.sh script-------------------------
echo "1" >/proc/sys/net/ipv4/ip_forward
echo "** Kernel Ip_Forwarding enabled **"
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
echo "** NICS Configured **"
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ifconfig br0 (*ip of linux box*) netmask 255.255.224.0 up
route add default gw (*gateway ip*) dev br0
echo "** Bridge Configured **"

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo " ACL's for ebtables and iptables completed. " 
0
Comment
Question by:Sentinel8o
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
13 Comments
 
LVL 27

Expert Comment

by:Nopius
ID: 16939442
1) You don't need ebtables
2) You should recompile squid with transparent proxy support (./configure --enable-linux-netfilter)
3) Read this howto: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
0
 
LVL 1

Author Comment

by:Sentinel8o
ID: 16942999
i want to be able to drop this linux box anywhere in my network without having to reconfigure my network so would this work? the link you provided shows how to set up linux to act as a router, doesnt that mean i will have to reconfigure devices where ever i plug it in? I would rather stick with bridgeing using brctl
0
 
LVL 1

Author Comment

by:Sentinel8o
ID: 16943639
Now do i need ebtables if i want to bridge the 2 interfaces or do i still not need ebtables? I was under the impression that since brctl bridges the connection using layer 2 that iptables cannot recieve the packets and thats why i needed ebtables. I think my problem is might be with my iptables configuration. I have 2 interfaces, eth0 and eth1. eth0 is used to access internet, while eth1 will be connected to a segment of network i would like to proxy with squid. Now i assigned an ipaddress to the virtual interface that was created when i bridged the connection using brctl called br0. Im confused on how exactly to forward to port 3128, since squid is running on the same machine should i use something like

iptables -t nat -PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to "ip assigned to br0":3128
or
iptables -t nat -PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 14

Expert Comment

by:pablouruguay
ID: 16945508
i have this. and work perfectly.

iptables -A FORWARD -j ACCEPT -p tcp --dport 1351
iptables -t nat -A PREROUTING  -p tcp -d 200.40.22.12 --dport 1351 -j DNAT  --to 192.168.1.1:22

0
 
LVL 27

Accepted Solution

by:
Nopius earned 1000 total points
ID: 16948510
pablouruguay, your solution is good for routed, not bridged traffic.

Sentinel8o, I see.
You like to have bridged transparent proxy, but not a router. I never tried this, but it has sense.
Did you read http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html to see iptables/ebtables interaction?

As I understand you don't like to change router configuration and workstations configuration, but you like to turn on your Linux box on-path to the router, like this:

<WS_A>-----\
                         \
<WS_B>  ---- <SWITCH> ---- eth0  <LINUX>  eth1 ----  <ROUTER> ---- Link to the Internet
                         /
<WS_C> ----/

Where WS_? are LAN workstations, LINUX is your caching proxy and ROUTER is a router.

Note: with kernel config 'You must say NO to ``Fast switching'' under Networking Options.'
There are also some tips from Linux howto specially for transparent proxy briging configuration: http://www.tldp.org/HOWTO/TransparentProxy-7.html this tip is helpful if you like to use as transparent as normal proxy.

Try these two lines and don't forget to activate http_accel in your squid:
ebtables -t nat -A PREROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target -j ACCEPT
iptables -t nat -A PREROUTING -m physdev --physdev-in eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

0
 
LVL 1

Author Comment

by:Sentinel8o
ID: 16951493
Your diagram is correct except switch the two interfaces around (eth0 is towards router and eth1 is to workstation network segment). I have set the httpd_accel options set in squid config.

When i try to install ebtables-v2.0.6.tar.gz from http://ebtables.sourceforge.net/download.html#latest
i get an error message.
"ebtables-v2.0.6]# make
gcc -Wall -Wunused -DPROGVERSION=\"2.0.6\" -DPROGNAME=\"ebtables\" -DPROGDATE=\"November\ 2003\" -D_PATH_ETHERTYPES=\"/etc/ethertypes\" -c -o getethertype.o getethertype.c -Iinclude/
gcc -Wall -Wunused -DPROGVERSION=\"2.0.6\" -DPROGNAME=\"ebtables\" -DPROGDATE=\"November\ 2003\" -D_PATH_ETHERTYPES=\"/etc/ethertypes\" -c -o ebtables.o ebtables.c -Iinclude/
ebtables.c: In function ‘list_em’:
ebtables.c:583: warning: pointer targets in passing argument 1 of ‘print_mac_and_mask’ differ in signedness
ebtables.c:583: warning: pointer targets in passing argument 2 of ‘print_mac_and_mask’ differ in signedness
ebtables.c:590: warning: pointer targets in passing argument 1 of ‘print_mac_and_mask’ differ in signedness
ebtables.c:590: warning: pointer targets in passing argument 2 of ‘print_mac_and_mask’ differ in signedness
ebtables.c: In function ‘check_rule_exists’:
ebtables.c:1174: error: label at end of compound statement
ebtables.c: In function ‘main’:
ebtables.c:2192: warning: pointer targets in passing argument 2 of ‘get_mac_and_mask’ differ in signedness
ebtables.c:2192: warning: pointer targets in passing argument 3 of ‘get_mac_and_mask’ differ in signedness
ebtables.c:2207: warning: pointer targets in passing argument 2 of ‘get_mac_and_mask’ differ in signedness
ebtables.c:2207: warning: pointer targets in passing argument 3 of ‘get_mac_and_mask’ differ in signedness
make: *** [ebtables.o] Error 1"

Now is this because im using fedora core 4 or what? Should i use a different distro for this project?





0
 
LVL 27

Expert Comment

by:Nopius
ID: 16981110
I'm sorry for delay.
Fedora Core 4 has 2.6.11 kernel, so it's ok to run ebtables on it.
You don't need to install and compile ebtables 2.0.6, it should be already there. You may install 2.0.8-rc2 (from rpm package).
May be you need to recompile kernel to include bridging options.
0
 
LVL 1

Author Comment

by:Sentinel8o
ID: 16986244
But if ebtables version 2.0.6 is all ready installed in fedorcore 4 then why would i get those errors when trying to install would it just tell me that its allready installed? Installing ebtable 2.0.8 doesnt give me errors but i dont this it is working. How would i recompile kernel to include bridging options?
0
 
LVL 27

Expert Comment

by:Nopius
ID: 16988622
> why would i get those errors when trying to install
Which errors?
These

ebtables.c: In function ‘check_rule_exists’:
ebtables.c:1174: error: label at end of compound statement
...
make: *** [ebtables.o] Error 1"

are not _installation_ errors, but compilation ones.

> Installing ebtable 2.0.8 doesnt give me errors but i dont this it is working.
For sure run:
ebtables -t broute -L
ebtables -t filter -L

if both commands work (even if you see empty chains), it's ok, you don't need to recompile kernel or to reinstall ebtables.

0
 
LVL 1

Author Comment

by:Sentinel8o
ID: 17018816
ok so i got ebtables installed.
Im following this how-to: http://freshmeat.net/articles/view/1433/
I entered in the commands :
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6  \
      --ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80  \
      -j REDIRECT --to-port 3128

and I can browse sites but they are not getting cached into squid which leads me to believe that the port forwarding isn’t working
0

Featured Post

WordPress Tutorial 3: Plugins, Themes, and Widgets

The three most common changes you will make to your website involve the look (themes), the functionality (plugins), and modular elements (widgets).

In this article we will briefly define each again, and give you directions on how to install them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question