RE: how to use ipchains (was: Re: File Descriptor patch for Linux 2.0.34)

Hi guys,

Thanks for your feedback. It did get me one step closer to the solution.

However, I am using cisco redirection as discussed in the FAQ, which works
fine with my old kernel and ipfwadm. With the new kernel and ipchains as you
explained below, it never gets a connection. I guess the cisco is forwarding
it to the kernel 2.1.125, however ipchains doesn't do anything with it...

If I telnet directly into the machine on the specified port 80 it will
redirect to my squid port and answer... Below is my configuration... I use
8080 instead of 3128... and want to redirect 3128, 80 and 8080 all to my
proxy (to prevent my users from using other people's proxies...)

Thanks in advance for any help given...

# set default policies on input/output/forward
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward DENY

# accept all traffic on loopback interface
/sbin/ipchains -A input -i lo

# accept my own IP addr to prevent loops
# (repeat for each i/face)
/sbin/ipchains -A input -p tcp -d 203.127.72.4 8080 -j ACCEPT

# transparent redirection
# forward any traffic destined for port 80 to squid on port 8080
/sbin/ipchains -A input -p tcp -d 0.0.0.0/0 80 -j REDIRECT 8080
/sbin/ipchains -A input -p tcp -d 0.0.0.0/0 3128 -j REDIRECT 8080

Walter.

> -----Original Message-----
> From: lincoln dale [mailto:ltd@interlink.com.au]
> Sent: Sunday, October 11, 1998 1:42 PM
> To: Walter Klomp; Vesa Ruokonen
> Cc: Squid Users
> Subject: how to use ipchains (was: Re: File Descriptor patch for Linux
> 2.0.34)
>
>
> At 12:50 PM 10/11/98 +0800, Walter Klomp wrote:
> >However after I upgraded my RH5.1 to 2.1.125 now my transparent proxy
> >doesn't work anymore. No matter what I try to enable in the
> kernel, ipfwadm
> >doesn't work anymore. Says this:
>
> with linux kernels > 2.1.101, you'll have to use "ipchains" instead of
> "ipfwadm" (ipfwadm having been deprecated).
>
> follow the documentation at
> http://www.adelaide.net.au/~rustcorp/linux/ipchains/ for packages to
> get/install, then use layer-4 redirection rules as follows:
>
> # flush rules
> /sbin/ipchains -F
>
> # set default policies on input/output/forward
> /sbin/ipchains -P input ACCEPT
> /sbin/ipchains -P output ACCEPT
> /sbin/ipchains -P forward DENY
>
> # accept all traffic on loopback interface
> /sbin/ipchains -A input -i lo
>
> # accept my own IP addr to prevent loops
> # (repeat for each i/face)
> /sbin/ipchains -A input -p tcp -d YOURIP 3128 -j ACCEPT
>
> # transparent redirection
> # forward any traffic destined for port 80 to squid on port 3128
> /sbin/ipchains -A input -p tcp -d 0.0.0.0/0 80 -j REDIRECT 3128
>
> cheers,
>
> lincoln.
>
> --
> lincoln dale e: (wk) ltd@telstra.net (hm) ltd@interlink.com.au
>
> "After Layer 3, it's only really a matter of how deep into a packet you
> look, and how the information is used. Soon we may be hearing of new
> devices that take advantage of the two new OSI layers: 8 (politics)
> and 9 (religion)" -- Metz @ Strategic Net Consulting
>
>
Received on Sun Oct 11 1998 - 21:22:08 MDT