Re: [tanya-jawab] iptables

Hari Hendaryanto Tue, 01 Aug 2006 18:04:50 -0700

Mirza Khadnezar wrote:

server :
eth0 : gw1
eth1 : gw2
eth3 : LAN


rc.local :
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain
/sbin/iptables --table nat --append POSTROUTING --out-interface eth0
-j MASQUERADE
/sbin/iptables --append FORWARD --in-interface  eth0 -j ACCEPT
/sbin/iptables --table nat --append POSTROUTING --out-interface eth1
-j MASQUERADE
/sbin/iptables --append FORWARD --in-interface  eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
dhclient
ifconfig eth2 192.168.1.1
ifconfig eth3 down
#ifconfig eth1 192.168.2.1
#route add default gw 192.168.1.1
#ipmasq
/etc/init.d/bind9 start
named

/sbin/iptables -A PREROUTING -t nat -p tcp -s 192.168.1.0/24 --dport
80 -j DNAT --to 202.73.109.166:2210

-------------------------------------------------------------------------------------------------------------------

squid.conf

http_port 2210
icp_port 3130
snmp_port 3401
cache_mgr admin

#cache_peer 123.45.67.89 parent 3128 3130 proxy-only
#cache_peer 202.143.61.37 sibling 3128 3130 proxy-only
#cache_peer 222.124.79.54 parent 2210 3130 proxy-only

# ngembat proxy cbn ah di proxy.cbn.net.id port 8080
#cache_peer proxy.cbn.net.id sibling 8080 3130 proxy-only



#icp_query_timeout 2000
#connection_timeout 90
#reply_body_max_size 2048
#maximum_icp_query_timeout 2000
#mcast_icp_query_timeout 2000

dead_peer_timeout 10 seconds
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
visible_hostname rendezvous.server02.sat-c.net
cache_mem 128 MB

cache_swap_low 80%
cache_swap_high 100%

#cache_dir diskd /cache1 3200 8 64 max-size=-1 Q1=64 Q2=72
#cache_dir diskd /cache2 3200 8 64 max-size=-1 Q1=64 Q2=72
#cache_dir diskd /cache3 3200 8 64 max-size=-1 Q1=64 Q2=72
#cache_dir diskd /cache4 3200 8 64 max-size=-1 Q1=64 Q2=72
cache_dir diskd /var/spool/squid 1024 8 64 max-size=-1 Q1=64 Q2=72
#cache_dir ufs /cache 1600 4 256

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
pid_filename /var/run/squid.pid

forwarded_for off

half_closed_clients off
cache_effective_user proxy
cache_effective_group proxy
cache_mgr [EMAIL PROTECTED]

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
#acl x1 url_regex "/etc/streaming"
#acl x2 urlpath_regex -i "/etc/download"
acl gator dstdomain .gator.com
acl gohip dstdomain .gohip.com
acl kazaa dstdomain .kazaa.com
acl ad dstdomain .advertising.com
acl real dstdomain .xreal.com
acl pornsite url_regex 220.73.222.254
acl LAN src 192.168.1.0/255.255.255.0
acl NOC src 192.168.1.0/255.255.255.0
acl snmpcommunity snmp_community nama_snmpcommunity     # bila ingin
meng-grab traffik dari squid
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1
acl SSL_ports port 443 563
acl Safe_ports port 21 80 81 53 110 143 443 563 70 210 1025-65535
#acl Safe_ports port 21 80
#acl Safe_ports port 2000-2500
#acl Safe_ports port 4000-5900
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#header_access User-Agent deny all
#header_replace User-Agent Mozilla/5.0 (X11; U; Linux 2.6.8 DEC Alpha)

# HTTP REQUEST TO A LOCAL WEB SERVER
httpd_accel_host 202.73.109.166
httpd_accel_port 80
acl acceleratedHost dst 202.73.109.166/255.255.255.255
acl acceleratedPort port 8000

http_access allow manager localhost
# http_access deny manager      # di-uncomment bila tidak ingin
menggunakan cachemgr.cgi
http_access deny !Safe_ports
http_access deny pornsite
http_access deny CONNECT !SSL_ports
snmp_access allow snmpcommunity

#http_access deny x1
#http_access deny x2
http_access deny gator
http_access deny gohip
http_access deny ad
http_access deny real
http_access deny kazaa

http_access allow LAN
http_access allow NOC
http_access allow localhost
http_access allow acceleratedHost
http_access deny all
snmp_access deny all

# OPSIONAL
#always_direct allow LAN
#always_direct allow NOC
#never_direct allow all
httpd_accel_host virtual
#httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
cachemgr_passwd ayamgoreng manager
negative_ttl  1 minutes
buffered_logs on

# BEBERAPA KLIEN DILARANG MENGAKSES WEB DI MALAM HARI

#acl terlarang src 192.168.1.128/255.255.255.192
#acl aksesiang time SMTWHFA 08:00-20:00
#acl aksesiang time 08:00-20:00
#http_access allow terlarang aksesiang
#http_access deny terlarang

==================================

saya mau port 80 21 8080 yang di rekuest oleh semua client melaluigw1(eth0)

port 5000:8000 pake eth1

gimana yah ngatur nya ?
karena saya liat di squid kagak ngepek
apa perlu pake ip tables ?
--
[EMAIL PROTECTED]:/home/mirza# iptables -A FORWARD -p tcp -i eth3
--dport 80 -j ROUTE -oif eth0
Bad argument `eth0'
Try `iptables -h' or 'iptables --help' for more information.
[EMAIL PROTECTED]:/home/mirza#
[EMAIL PROTECTED]:/home/mirza# iptables -A FORWARD -p tcp -i eth3
--dport 80 -j ROUTE --oif eth0
iptables v1.3.1: Unknown arg `--oif'
Try `iptables -h' or 'iptables --help' for more information.
[EMAIL PROTECTED]:/home/mirza#

ga bisa juga
mungkin ad ayang bisa ngasih solusinya ?
UBUNTU BREEZY

ASAP


coba command iptables nya begini:

iptables -A POSTROUTING -t mangle -i eth3 -p tcp --dport 80 -j ROUTE--gw x.x.x.x --oif eth0


mungkin bisa :)

regards


PT.CITRA SARI MAKMUR
SATELLITE & TERRESTRIAL NETWORK

Connecting the distance - anytime, anywhere, any content

--
FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab
Unsubscribe: kirim email ke [EMAIL PROTECTED]
Arsip dan info milis selengkapnya di http://linux.or.id/milis

Re: [tanya-jawab] iptables

Kirim email ke