[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables redir of 80 to 8080



Thanks.

On Sat, Jan 05, 2002 at 06:36:01PM +0100, martin f krafft wrote:
| also sprach dman <dsh8290@rit.edu> [2002.01.04.2111 +0100]:
| >     have a web server running on a machine (call it 'A').
| >     machine 'A' is also the gateway masquerading connections from the
| >         LAN to the DSL provider
| >     have 'A' transparently proxy all HTTP requests from the LAN and
| >         'A' through squid
| >     still allow the LAN and 'A' to access pages coming from 'A'
| 
| i'll assume your LAN to be 192.168.1.0/24, and i assume A to be at
| 192.168.1.1. furthermore, should A be accessible from the outside? if
| yes, then you have a problem if you have a dynamic IP.

Yes I do want you to be able to get to my webserver.  I supposedly
have a dynamic IP (I get it via dhcp) but it hasn't changed ever
(yet).  I understand why that might be a problem, but it may be
workaroundable using devices or names.
I also have a name now (dman.ddts.net)!

| you can't easily proxy the requests from A. first of all, they are
| already at A, so essentially you can't pass them through squid. it's
| surely possible (with IP aliases for instance), but it's not really
| necessary...

Since they're already at A they need to be grabbed at a different
point in the chain.  I'm not sure which point would be correct though.
Perhaps if the request comes from 127.0.0.1 it can be proxied?  (I
hope that's where the request goes through :-))

| A shouldn't be used for anything anyway...

It's my desktop machine.  I don't want to buy another ISA NIC for the
486 clunker I have, so my desktop must serve the masquerading.

| # we create a new chain for transparent proxying
| iptables -N transproxy
| 
| # any requests from the LAN to port 80 should go into that chain.
| # we don't proxy for the outside, and we don't proxy for non-port-80
| iptables -t nat -A PREROUTING -p tcp --dport 80 -s 192.168.1.0/24 \
|   -j transproxy
| 
| # if the request if for A, then we simply drop out.
| iptables -A transproxy -d 192.168.1.1/32 -j RETURN
| 
| # EXAMPLE: 192.168.1.100 should not be proxied:
| # iptables -A transproxy -s 192.168.1.100/32 -j RETURN
| 
| # anything that's in this chain now is elligible for proxying.
| iptables -A transproxy -j REDIRECT --to-ports 8080
| 
| that's it...

Thanks!  I'll save it for when I go back to the manual and actually
try to set this thing up.

| > It's that last criteria that seems sticky to me.  I don't care if
| > squid proxies to the local apache or not.  Perhaps squid could use the
| > external interface (since only the lan and loopback ifaces would be
| > redirected to the proxy) to access the local apache?
| 
| if you want apache at A to be proxied, you simply request the page from
| one of the other IPs of A.

I'd have to, right?  If all requests coming from the LAN are
redirected to squid, the only way they can get to apache is through
squid.

-D

-- 

If anyone would come after me, he must deny himself and take up his
cross and follow me.  For whoever wants to save his life will lose it,
but whoever loses his life for me and for the gospel will save it.  What
good is it for a man to gain the whole world, yet forfeit his soul?  Or
what can a man give in exchange for his soul?
        Mark 8:34-37



Reply to: