[ILUG] really being specific with iptables.

[John Madden]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On (09/01/08 20:24), Darragh said:
> Here is a rule that I've created to only allow one ip to access the server
> from port 80.   I'd rather let all public IP's access it but the src range
> didn't work and neither did source !xxxx so for testing I decided to give
> this a try.
<snip> 
> iptables -A PREROUTING -t nat -p tcp -s !192.168.2.0/24 -dport 80 -j
> REDIRECT --to-ports 80
<snip> 
> iptables -A PREROUTING -t nat -p tcp -s xxx.xxx.xxx.xxx -dport 80 -j
> REDIRECT --to-ports 80
<snip>
> iptables -A PREROUTING -t nat -p tcp --source-range
> 192.168.2.0-192.168.2.254 -dport 80 -j
> REDIRECT --to-ports 80
> 
Going by what you said, you want all external ip's have direct access to
port 80 on this machine, but all internal machines looking for port 80
(except on this machine) should be redirected through Squid on 3128. If
this is what you want, then most of the rules are a whole lot simpler
than what you were looking at above.

First, allow everyone access to port 80:
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT

Next, redirect all traffic coming in on port 80, going to anywhere but
this IP to Squid:
iptables -t nat -A PREROUTING -p tcp -s 192.168.2.0/24 -d ! THIS_IP 
- --dport 80 -j REDIRECT --to-port 3128

Replace THIS_IP with the IP of the machine you're running the firewall
on.

This hasn't been tested, but should cover the basis of what you want.
Once you understand it, iptables is quite easy to use.

- -- 
John Madden -- john at jmadden.eu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHhebDQBw+ZtKOvTIRAhqeAJ9jsHx70I48r+//gu4LVeE88NNcaQCfQD8A
/GMUFoFCMjkkgZsJaXcvfDI=
=9LO6
-----END PGP SIGNATURE-----