Como redirecionar para o meu proxy squid usando iptables desde o destino DNAT: somente na tabela nat

Question

Como redirecionar para o meu proxy squid usando iptables desde o destino DNAT: somente na tabela nat

#1 resposta do (4 votos)

1

Eu quero redirecionar o tráfego na minha rede lan através de proxy squid, mas estou tendo alguns problemas com regras iptables .

Quando utilizo a seguinte regra:

# iptables -I FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.196:3128

Eu recebo o seguinte erro:

x_tables: ip_tables: DNAT target: only valid in nat table, not filter

Eu tentei usar PREROUTING chain, mas não há nada como isso no meu iptables:

# iptables -I PREROUTING -s 192.168.1.0/255.255.255.0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.196:3128
iptables: No chain/target/match by that name.

Estou usando a versão iptables v.1.4.10

# iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
prerouting_rule  all  --  anywhere             anywhere            
zone_lan_prerouting  all  --  anywhere             anywhere            
zone_wan_prerouting  all  --  anywhere             anywhere

meu todo iptables -nLv

root@OpenWrt:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  776 93902 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 3231  164K syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
 7098  429K input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 7096  429K input      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC XX:XX:XX:XX:XX:XX udp spt:22509  
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC XX:XX:XX:XX:XX:XX tcp spts:59000:65399 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC XX:XX:XX:XX:XX:XX udp spts:49950:65399 
 8271 3071K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
  451 44484 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  451 44484 forward    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    5   276 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7408  581K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
  206 13814 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  206 13814 output     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  446 44208 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_forward  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain forwarding_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  515 43070 zone_lan   all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
 6560  385K zone_wan   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain input_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  206 13814 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  203 13301 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (5 references)
 pkts bytes target     prot opt in     out     source               destination         
 3249  166K REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
 3257  198K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3231  164K RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 25/sec burst 50 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  515 43070 input_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  515 43070 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   513 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           
  515 43070 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           
    5   272 reject     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  446 44208 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    5   272 forwarding_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    5   272 zone_lan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   64 21010 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:68 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
 6496  364K input_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 6496  364K zone_wan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  644 57237 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_REJECT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
 6496  364K reject     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

iptables nat squid

por Patryk 16.10.2013 / 15:17

1 resposta

Tags iptables nat squid

Eu quebrei meu openbox menu.xml por engano Exibe o número de bytes, palavras e linhas em um arquivo

score 4 · Answer 1

Você precisa especificar que a regra deve ir para a tabela nat , além disso, os comandos DNAT precisam ir para a cadeia PREROUTING e você precisa ter cuidado para não gerar um loop.

iptables -t nat -I PREROUTING -i br-lan -s ! 192.168.1.196  -p tcp --dport 80 -j DNAT --to-destination 192.168.1.196:3128

A tabela padrão é a tabela filter .

Não se esqueça de que você também precisa do MASQUERADE / SNAT para reescrever o endereço de origem:

iptables -t nat -I POSTROUTING -p tcp --dport 80 -j MASQUERADE

Este HOWTO oferece mais opções e explicações.