Mansoor Nathani
asked on
Application for Linux Usenet Proxy. Either Iptables or standalone proxy
I am trying to setup a proxy to a usenet server on a Centos linux box. The box is directly connected to the internet and will be accepting request from multiple dynamic ip addresses. Ideally I would like all requests for port 119 to be taken and passed on to a certain usenet server. This should work transparently for the client as if they were connecting directly to that server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
And also ensure that forwarding is turned on:
/bin/echo 1 >/proc/sys/net/ipv4/ip_for ward
Or permanently, edit /etc/sysctl.conf and add:
net.ipv4.ip_forward = 1
As another option, you may configure your own NNTP server (either nntpd: , http://www.faqs.org/docs/linux_network/x-087-2-nntp.html or INN: http://www.faqs.org/docs/linux_network/x-087-2-inn.html), that will cache subscribed lists (but it takes really hudge amount of space and network traffic, depnding on a number of subscribed lists). So clients will connect to your NNTP server, that will be linked to another one. It also requires a knowledge of NNTP configuration and administration.
/bin/echo 1 >/proc/sys/net/ipv4/ip_for
Or permanently, edit /etc/sysctl.conf and add:
net.ipv4.ip_forward = 1
As another option, you may configure your own NNTP server (either nntpd: , http://www.faqs.org/docs/linux_network/x-087-2-nntp.html or INN: http://www.faqs.org/docs/linux_network/x-087-2-inn.html), that will cache subscribed lists (but it takes really hudge amount of space and network traffic, depnding on a number of subscribed lists). So clients will connect to your NNTP server, that will be linked to another one. It also requires a knowledge of NNTP configuration and administration.
ASKER
Turned on Forwarding, and the 'iptables -t... destination 10.10.14.2 ' command was successful. How do I open port 119? :
"Also ensure, that port 119 is allowed in a filter table (iptables -L)." ?
Once successful should I see LISTEN for port 119 in netstat -ano?
"Also ensure, that port 119 is allowed in a filter table (iptables -L)." ?
Once successful should I see LISTEN for port 119 in netstat -ano?
I've just tested on my server, this works fine:
iptables -t nat -A PREROUTING -p tcp -d 172.16.1.120 --dport 119 -j DNAT --to-destination 10.10.14.2
If it doesn't work, that may be the problem is in your kernel or in your netfilter package. Are you running on virtual machine?
Please trace iptables with:
iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --dport 119 -j DNAT --to-destination y.y.y.y
and post trace output here
iptables -t nat -A PREROUTING -p tcp -d 172.16.1.120 --dport 119 -j DNAT --to-destination 10.10.14.2
If it doesn't work, that may be the problem is in your kernel or in your netfilter package. Are you running on virtual machine?
Please trace iptables with:
iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --dport 119 -j DNAT --to-destination y.y.y.y
and post trace output here
Once successful should I see LISTEN for port 119 in netstat -ano?
No.
Just try to connect to your server to port 119 from outside.
If not works, post 'iptables -L' here.
No.
Just try to connect to your server to port 119 from outside.
If not works, post 'iptables -L' here.
ASKER
I dont get any output for that command.
Are there any log files that I could check?
[root@cent init.d]# iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --dport 119 -j DNAT --to-destination y.y.y.y
[root@cent init.d]# telnet 208.100.59.177 119
Trying 208.100.59.177...
telnet: connect to address 208.100.59.177: Connection refused
And yes this is a Virtual Machine, VPS on Virtuozzo platform
Are there any log files that I could check?
[root@cent init.d]# iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --dport 119 -j DNAT --to-destination y.y.y.y
[root@cent init.d]# telnet 208.100.59.177 119
Trying 208.100.59.177...
telnet: connect to address 208.100.59.177: Connection refused
And yes this is a Virtual Machine, VPS on Virtuozzo platform
ASKER
[root@cent init.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ASKER
I have this now, but I still cant connect to port 119 from outside
I used this command:
iptables -A INPUT -p tcp --syn --dport 119 -j ACCEPT
[root@cent init.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:nntp flags:FIN,SYN,RST,ACK/SYN
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I used this command:
iptables -A INPUT -p tcp --syn --dport 119 -j ACCEPT
[root@cent init.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:nntp flags:FIN,SYN,RST,ACK/SYN
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ASKER
one thing, the usenet server I want to forward to is an external internet IP, does that change anything?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks so much for your help.
Works great now.
Works great now.
ASKER
iptables: Unknown error 4294967295
x.x.x.x :Centos external IP,
10.10.14.2 is usenet server IP.