Re: iptables redir of 80 to 8080

To: debian-user@lists.debian.org
Subject: Re: iptables redir of 80 to 8080
From: martin f krafft <madduck@madduck.net>
Date: Sat, 5 Jan 2002 18:36:01 +0100
Message-id: <[🔎] 20020105173601.GA31050@fishbowl.madduck.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20020104201122.GE8471@localhost>
References: <[🔎] 5.1.0.14.2.20020104055625.009e59f0@194.102.92.1> <[🔎] 20020104092232.GA12136@fishbowl.madduck.net> <[🔎] 20020104201122.GE8471@localhost>

also sprach dman <dsh8290@rit.edu> [2002.01.04.2111 +0100]:
>     have a web server running on a machine (call it 'A').
>     machine 'A' is also the gateway masquerading connections from the
>         LAN to the DSL provider
>     have 'A' transparently proxy all HTTP requests from the LAN and
>         'A' through squid
>     still allow the LAN and 'A' to access pages coming from 'A'

i'll assume your LAN to be 192.168.1.0/24, and i assume A to be at
192.168.1.1. furthermore, should A be accessible from the outside? if
yes, then you have a problem if you have a dynamic IP.

you can't easily proxy the requests from A. first of all, they are
already at A, so essentially you can't pass them through squid. it's
surely possible (with IP aliases for instance), but it's not really
necessary... A shouldn't be used for anything anyway...

# we create a new chain for transparent proxying
iptables -N transproxy

# any requests from the LAN to port 80 should go into that chain.
# we don't proxy for the outside, and we don't proxy for non-port-80
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 192.168.1.0/24 \
  -j transproxy

# if the request if for A, then we simply drop out.
iptables -A transproxy -d 192.168.1.1/32 -j RETURN

# EXAMPLE: 192.168.1.100 should not be proxied:
# iptables -A transproxy -s 192.168.1.100/32 -j RETURN

# anything that's in this chain now is elligible for proxying.
iptables -A transproxy -j REDIRECT --to-ports 8080

that's it...

> It's that last criteria that seems sticky to me.  I don't care if
> squid proxies to the local apache or not.  Perhaps squid could use the
> external interface (since only the lan and loopback ifaces would be
> redirected to the proxy) to access the local apache?

if you want apache at A to be proxied, you simply request the page from
one of the other IPs of A.

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
"memory is like an orgasm.
 it's a lot better
 if you don't have to fake it."
                          -- seymour cray commenting on virtual memory
 
"but virtual memory still gets the job done."
                                                                 -- gr

Attachment: pgpvhcErloSWg.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: iptables redir of 80 to 8080
  - From: dman <dsh8290@rit.edu>

References:
- iptables redir of 80 to 8080
  - From: Petre Daniel <dani@cyber.ro>
- Re: iptables redir of 80 to 8080
  - From: martin f krafft <madduck@madduck.net>
- Re: iptables redir of 80 to 8080
  - From: dman <dsh8290@rit.edu>

Prev by Date: Re: Debian Lists, USENET & Spam
Next by Date: Problems with gnome sound after "upgrade" from Progeny to woody
Previous by thread: Re: iptables redir of 80 to 8080
Next by thread: Re: iptables redir of 80 to 8080
Index(es):
- Date
- Thread