[SOLVED] IPTables

[AV1611]

Help! I'm in over my head...

 

I need a set of firewall rules but I don't know how to do them.

 

I have two NIC's in a linux server.

192.168.0.111 (static)

192.168.5.1 (static, and has a DHCP server)

I figured out how to forward from the second to the first, so the server provides firewalled internet to the second network

 

Now, here is what I need to do. I use a program called dansguardian that works with squid that does content filtering, etc. If the 192.168.5.x networks does port 80 request, they get unfiltered internet. If they use proxy @ port 8080 they get filtered internet. What I am trying to do now is make a firewall rule that does this:

 

when they request a connection on 192.168.5.x port 80, the firewall forwards the request to 192.168.0.111 port 8080 and the result reply from 192.168.0.111 port 8080 is sent back to 192.168.5.x port 80.

 

Now the content filter is transparent.

 

any clue how to syntax the rules into iptables?

 

Thanks...

[trq]

Sorry, Im finding it hard to understand you setup / requirement. Which ip address is LAN and which is WAN?

 

Is this a good description of what you want to do?

 

request:

client -> lan interface(port 80) -> wan interface(port 8080) -> web

 

response:

web -> wan interface(port 8080) -> lan interface(port 80) -> client.

 

Im not sure that you get a choice about which port a web server replies to and in fact, a typical client should not be expecting a reply on post 80.

[solarisuser]

make sure the clients internet access is filtered to block all other ports, or a client could use an anonymous proxy on a port like 23 to bypass your content filtering

 

23 is reserved for telnet, but anonymous proxies can listen to whatever port their configured for

[neylitalo]

Something like this ought to do the trick - note that this is completely untested.

 

# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.0.111:8080