Hi *,
it's funny to reply to my own message...
There's one update:
On one client, browser A uses the proxy on the gateway,
I changed the browser's preferences.
So only INPUT and OUTPUT rules would work, right? No
FORWARD traffic here.
I disabled the transparent proxy feature and installed:
iptables -I FORWARD -d www.sucker.com -j jwd-log
iptables -I FORWARD -s www.sucker.com -j fwd-log
iptables -I OUTPUT -d www.sucker.com -j fwd-log
iptables -I OUTPUT -s www.sucker.com -j fwd-log
iptables -I INPUT -d www.sucker.com -j fwd-log
iptables -I INPUT -s www.sucker.com -j fwd-log
These are more rules that would be neccessary, but I
installed them all to be sure...
The effect is: nothing, www.sucker.com loads just fine.
Please tell me: is it a bug, or did I miss something?
Olaf
Olaf Zaplinski wrote:
>
> Hi *,
>
> my gateway works
>
> a) with masquerading
> b) as a DNS server for the local clients
> c) as a transparent proxy which redirects '-d 0/0:80' to 'localhost:3128'
> (Squid)
>
> My question:
>
> I have one rule:
>
> $IPTABLES -A FORWARD -d 11.22.33.44 -j fwd-log
> (fwd-log logs to syslog and drops the packet or rejects it if it's tcp)
>
> This should work when a client wants to connect to that IP. It works until I
> set up the transparent proxy rule later on in the same script - then it
> works for all ports but port 80:
>
> $IPTABLES -t nat -A PREROUTING -s 192.168.42.0/24 -p tcp --dport 80 -i eth0
> -j REDIRECT --to-ports 3128
>
> Why is a connect from 192.168.42.0/24 to 11.22.33.44:80 first proxied so
> that the blocking rule has no effect? I only can guess that all packets
> first traverse the nat table and then the filter table's FORWARD chain.
> What can I do? I tried this:
>
> $IPTABLES -t nat -A PREROUTING -p tcp -d 11.22.33.44 -j REJECT --reject-with
> tcp-reset
>
> but it did not work ("invalid argument")
> All I want to get is a kind of banner blocker. For this, I must tell the
> client with a 'REJECT --reject-with tcp-reset' that the banner server
> rejects connects to port 80.
>
> Olaf
