Quote:
Originally Posted by sanjee
No both are in separate system .
|
Okay then forget about REDIRECT, you need DNAT to intercept. I believe you'll also need SNAT/MASQUERADE to make sure the packets from Squid come back through the iptables box (and not get sent to the client box's IP). I've only used Squid and iptables on the same box so take that with a grain of salt. In any case, if I'm right then you would do it like this:
Code:
#!/bin/sh
IPT="/sbin/iptables"
WAN_IFACE="eth1"
LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"
DNS1="208.67.222.222"
DNS2="208.67.220.220"
SQUID_IP="192.168.1.2"
SQUID_PORT="3128"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p ICMP -i $LAN_IFACE --icmp-type 8 \
-s $LAN_NET -m state --state NEW -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $LAN_IFACE -s $LAN_NET \
--dport $SQUID_PORT -d $SQUID_IP -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
--dport 21 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
--dport 110 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
-d $DNS1 --dport 53 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
-d $DNS2 --dport 53 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "
$IPT -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 \
-s ! $SQUID_BOX -j DNAT --to-destination $SQUID_IP:$SQUID_PORT
$IPT -t nat -A POSTROUTING -o $LAN_IFACE -s $LAN_NET \
--dport $SQUID_PORT -d $SQUID_IP -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE