Hi *,
my gateway works
a) with masquerading
b) as a DNS server for the local clients
c) as a transparent proxy which redirects '-d 0/0:80' to 'localhost:3128'
(Squid)
My question:
I have one rule:
$IPTABLES -A FORWARD -d 11.22.33.44 -j fwd-log
(fwd-log logs to syslog and drops the packet or rejects it if it's tcp)
This should work when a client wants to connect to that IP. It works until I
set up the transparent proxy rule later on in the same script - then it
works for all ports but port 80:
$IPTABLES -t nat -A PREROUTING -s 192.168.42.0/24 -p tcp --dport 80 -i eth0
-j REDIRECT --to-ports 3128
Why is a connect from 192.168.42.0/24 to 11.22.33.44:80 first proxied so
that the blocking rule has no effect? I only can guess that all packets
first traverse the nat table and then the filter table's FORWARD chain.
What can I do? I tried this:
$IPTABLES -t nat -A PREROUTING -p tcp -d 11.22.33.44 -j REJECT --reject-with
tcp-reset
but it did not work ("invalid argument")
All I want to get is a kind of banner blocker. For this, I must tell the
client with a 'REJECT --reject-with tcp-reset' that the banner server
rejects connects to port 80.
Olaf
