[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables redir of 80 to 8080

also sprach dman <dsh8290@rit.edu> [2002.01.04.2111 +0100]:
>     have a web server running on a machine (call it 'A').
>     machine 'A' is also the gateway masquerading connections from the
>         LAN to the DSL provider
>     have 'A' transparently proxy all HTTP requests from the LAN and
>         'A' through squid
>     still allow the LAN and 'A' to access pages coming from 'A'

i'll assume your LAN to be, and i assume A to be at furthermore, should A be accessible from the outside? if
yes, then you have a problem if you have a dynamic IP.

you can't easily proxy the requests from A. first of all, they are
already at A, so essentially you can't pass them through squid. it's
surely possible (with IP aliases for instance), but it's not really
necessary... A shouldn't be used for anything anyway...

# we create a new chain for transparent proxying
iptables -N transproxy

# any requests from the LAN to port 80 should go into that chain.
# we don't proxy for the outside, and we don't proxy for non-port-80
iptables -t nat -A PREROUTING -p tcp --dport 80 -s \
  -j transproxy

# if the request if for A, then we simply drop out.
iptables -A transproxy -d -j RETURN

# EXAMPLE: should not be proxied:
# iptables -A transproxy -s -j RETURN

# anything that's in this chain now is elligible for proxying.
iptables -A transproxy -j REDIRECT --to-ports 8080

that's it...

> It's that last criteria that seems sticky to me.  I don't care if
> squid proxies to the local apache or not.  Perhaps squid could use the
> external interface (since only the lan and loopback ifaces would be
> redirected to the proxy) to access the local apache?

if you want apache at A to be proxied, you simply request the page from
one of the other IPs of A.

martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
"memory is like an orgasm.
 it's a lot better
 if you don't have to fake it."
                          -- seymour cray commenting on virtual memory
"but virtual memory still gets the job done."
                                                                 -- gr

Attachment: pgpRoSxLRJ4ki.pgp
Description: PGP signature

Reply to: