[Nottingham] some iptables magic required

Duncan John Fyfe djf at star.le.ac.uk
Tue Jan 4 11:48:33 GMT 2005


On Wed, 29 Dec 2004, Michael wrote:

> Hi All,
>
> One problem remains and I'm sure there's a good answer for it: the
> machines on my LAN aren't able to establish connections with the web
> server when using the proper externally-resolved names due to the
> iptables rules or NAT on the firewall/gateway/DNS machine. What is the
> magic mantra to add to my script that would point my internal clients
> back onto the LAN?
> OK, my version is the same as this but with a few ports forwarded and
> some extra logging. Briefly, it allows all (useful) outgoing
> connections, blocks all incoming apart from a few incoming ports,
> nothing fancy. After googling around for a while I found the following
> mantra: -
>
<snip>
> iptables -A PREROUTING -t nat -p tcp -d $OUTSIDE_IP --dport 80 -j DNAT
> --to $WEB_SERVER:80
>
> iptables -A FORWARD -p tcp -d $WEB_SERVER --dport 80 -j ACCEPT
>
> iptables -A POSTROUTING -t nat -p tcp -s $INSIDE_NETWORK/24 -d
> $WEB_SERVER --dport 80 -j SNAT --to $INSIDE_IP
>
> So I assume I need to intervene prior to allowing all outgoing traffic,
> add a rule to PREROUTING where the destination is port 80 on our
> external IP and nat to the web server port 80. Then, add forwarding and
> postrouting rules. One potential problem is that, so far, the script has
> no implicit knowledge of the external IP (assigned by NTL cable modem
> via DHCP) or subnetwork definition as used by the above.

I've not done it myself but have a look at the iptables rules people use
to get Squid redirected and working 
(eg.  http://www.tldp.org/HOWTO/TransparentProxy-6.html ).  At least
the examples look adaptable.

Have fun,
Duncan



More information about the Nottingham mailing list