El Jueves 04 Marzo 2004 07:56, Henrik Nordstrom escribió:
>HN On Wed, 3 Mar 2004 mrflora@cwazy.co.uk wrote:
>HN
>HN > When I lsmod, I see ipnat among the loaded modules. Does this mean
> that HN > local NAT is enabled?
>HN
>HN No, it just means that NAT is.
>HN
>HN There is a special kernel compile option required if you want to enable
>HN NAT of locally initiated connections. If this option is not enabled (the
>HN default) then the netfilter/iptables NAT code assumes you do not need
> this HN and "cheats" a little on locally initiated traffic.
>HN
>HN Regards
>HN Henrik
>HN
I have solved the problem. I thank for your help. I set this rules:
iptables -t nat -A OUTPUT -p tcp -m owner --dport 80 --uid-owner squid -j
ACCEPT
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination
127.0.0.1:3128
As I supossed it could not be PREROUTING because that chain never will match
with a packet outgoing form the firewall/proxy box itself. It only was
possible through OUTPUT chain.
The iptables man pages say:
"nat This table is consulted when a packet that creates a new connec-
tion is encountered. It consists of three built-ins: PREROUTING
(for altering packets as soon as they come in), OUTPUT (for
altering locally-generated packets before routing), and
POSTROUTING (for altering packets as they are about to go
out)."
The same tell us the well-known documentation, as for example the Oskar
Andreasson tutorial of iptables.
The following web page also helped me:
http://www.linux-bulgaria.org/lug-bg-list/archive/2003/Jun/0253.html
Note that "!" cannot use with owner module then, I reverted the rule.
As you will think, do nat, transparent proxy and firewalling over itself is
not so useful. But I think that is interesting to learn a little more about
the iptables and squid proxy-cache.
Also, Henrik has said that it neccesary an special kernel option. I could
include the running kernel config (but the size is 50 kb, and I don't know if
attachments are allowed in this mailing but the lsmod output is:
Module Size Used by Not tainted
lp 8160 0
parport_pc 25544 1
parport 34472 1 [lp parport_pc]
i810_audio 25692 2
ac97_codec 15828 0 [i810_audio]
soundcore 6340 0 [i810_audio]
af_packet 14856 1 (autoclean)
sr_mod 19384 2 (autoclean)
floppy 55932 2
ipt_owner 1944 1 (autoclean)
iptable_nat 20814 1 (autoclean)
ip_conntrack 26468 1 (autoclean) [iptable_nat]
iptable_mangle 2712 0 (autoclean) (unused)
iptable_filter 2316 0 (autoclean) (unused)
ip_tables 15072 6 [ipt_owner iptable_nat iptable_mangle
iptable_filter]
8139too 17384 1 (autoclean)
mii 3864 0 (autoclean) [8139too]
nls_iso8859-15 4060 1 (autoclean)
nls_cp850 4284 1 (autoclean)
vfat 11820 1 (autoclean)
fat 38040 0 (autoclean) [vfat]
supermount 84032 2 (autoclean)
ide-cd 33956 0
cdrom 32608 0 [sr_mod ide-cd]
ide-scsi 11376 1
scsi_mod 106176 2 [sr_mod ide-scsi]
usb-ohci 21080 0 (unused)
usbcore 74988 1 [usb-ohci]
rtc 9004 0 (autoclean)
ext3 60048 11
jbd 39264 11 [ext3]
I thank you again and I hope that info may be usable for everyone.
This list seems cool ;)
Sergio
-- Descargue al manual para nuevos usuarios de GNU/Linux de http://www.solar.org.ar/article.php3?id_article=28Received on Thu Mar 04 2004 - 12:56:30 MST
This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:01 MST