Ubuntu Servers :: Port Forwarding Setup Using IPTables - Transparent Proxy
May 13, 2010
I'm new to linux, but enjoy using it very much, especially without a GUI, console is fun! I need to set up port forwarding. We have 3 servers, 1x running Ubuntu server 8.04 (used as transparent proxy), 1x server 2003, 1x windows xp.
The linux box has the following ips:
eth0 (internal) 192.168.1.5
eth1 (external) 192.168.0.7
Windows server 2003:
192.168.1.6
Windows XP:
192.168.1.9
Router:
192.168.0.1
The router automatically forwards specific ports to 196.168.0.7 (Linux eth0). From there I want to forward port 8585 to 192.168.1.6 and 3000 to 192.168.1.9. Is there a way that I can do this using iptables?
The commands that I think I'm gonna use look like this:
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 8585 -d 192.168.1.6 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 3000 -d 192.168.1.9 -j ACCEPT
Would this be a correct way of doing it? My biggest problem is that I can't test it without going live, and if I go live and something doesn't work, the entire building will be left without internet, people will hate me. Also, The proxy captures all data on port 80 and forwards it to 3128 so that the proxy can monitor the usage, and a few systems runs fine with it, others however can ping websites, and internet explorer says "website found, waiting for reply" but the webpages cannot be displayed.
View 9 Replies
ADVERTISEMENT
Feb 23, 2011
I am trying to set up my squid3 proxy as a transparent proxy - right now, I have to manually configure browsers to access via proxy. I understand that I have to put some rules into Iptables and also some further directives in the squid.conf.
I have a couple of specific questions. The proxy server is running on a Ubuntu 10.04 workstation and this machine also acts as a dhcp server for the network. I have just one subnet , namely 192.168.0.1-254 There is only 1 network card. Is it much easier to put in a second network card or is it just as easy to configure the existing lan card as a dual IP?
Is it necessary to configure these 2 IP's ( whether they are via 2 lan cards or dual IP on single card ) to be on different subnets. i.e ETH0 192.168.0.1 and ETH1 192.168.1.1 or is ok to have something like ETH0 192.168.0.1 and ETH1 192.168.0.254 ( where ETH0 is the one facing the LAN and ETH1 points to the modem router / switch i.e The Internet ) Where specifically do I save the Iptables rule configuration file and what must I call it ?
View 4 Replies
View Related
Aug 23, 2010
I just finished setup a proxy machine that runs in a separate box from gw.
I have the following iptables rule
on squid box
Code:
Code:
Here's an example
Code:
My question is how can i modify the iptables rules so it will forward the real ip's where the requests are originated from.
View 1 Replies
View Related
Mar 11, 2010
I have big problem with correct settings of iptables as a router. My network topology (UTM Hardware router) 192.168.1.1--->eth0 192.168.1.2(centos with apache ftp and transparent squid 8080)--->eth1 192.168.0.1(LAN with dhcp)
eth0=WAN 192.168.1.2
eth1=LAN 192.168.0.1
I have problem with hanging connections through squid which are very slow or connection failed. Sometimes i received DNS timeout error from squid stable 2.6 21
[Code]...
View 1 Replies
View Related
Mar 25, 2010
I have a mail server on which I would like to block port 25 on my eth0 for everyone except our external spam filter. the problem is that I want our users to be able to connect via port 10025 which is forwarded to port 25, which then is blocked...
View 2 Replies
View Related
Nov 10, 2010
I need to set up an ip table and a transparent squid proxy as followed: I have 3 machine: Machine 1 works as a squid proxy. It has 2 interface eth1 and eth2.
eth1: 192.168.99.2 (Connect to eth1 of machine 2)
eth2: 192.168.98.2 (Connect to eth1 of machine 3)
machine 2 works as a webserver
eth1: 192.168.99.4
machine 3 works as a web client.
eth1: 192.168.98.4
my responsibility is to send all tcp traffic from machine 3 at port 80 to my squid proxy. In order to fulfill the tasks, I have edited the squid.conf as followed: Code: http_access allow localnet http_access allow localhost and in machine 1, I tried 2 ip tables command: Code: iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to 192.168.99.2:80 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 80 I don't know if it is right or wrong.
View 7 Replies
View Related
Jan 12, 2011
I setup squid with transparent proxy and its working, however, when I reboot the server, the proxy server doesnt work unless I run the following.
Code: # squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
[Code]...
View 6 Replies
View Related
Mar 25, 2010
I am new to iptables. We have two Squid proxy servers running in "non-transparent mode" (172.16.0.1 and 172.16.0.2). Currently users have to configure the proxy server they want to use by configuring them in their browsers. Recently I saw an example for redirecting web traffic to a single transparent proxy server.
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128
Can anyone modify this rule to accommodate my current setup of two proxy servers running in non-transparent mode. i.e Redirect web traffic to the 172.16.0.1-172.16.0.2 ip range.
View 2 Replies
View Related
Jul 17, 2009
I am using ubuntu 8.40 as a router wit 2 nic.eth0 is for local and eth1 is for external network.i have a internal webserver in my lan and want to forward some ports to the net and i executed te following commands.
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 192.168.0.239 --dport 8080 -j DNAT --to 192.168.10.99:8080
iptables -A FORWARD -p tcp -i eth1 -d 192.168.10.99 --dport 8080 -j ACCEPT
But i cant connect to the port 8080 from the external network.
View 11 Replies
View Related
Aug 14, 2010
I have a CentOS box which is Internet Facing. It has 3 LAN's connected to it which are for virtual machines.
I want to port forward port 445 to a machine on one of the LAN interfaces. I have tried various ways to get it done, but still cannot access that port from the interface. I definately know device hosting port 445 is live, as I can ping it from the CentOS box and use lynx to access it! (It's a web server)
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 445 -j DNAT --to-destination 192.168.0.2:445
View 6 Replies
View Related
Jun 7, 2010
I've been Googling about port forwarding iptables and even though there's result and I've applied it in my script, I can't make iptables forwading request to another machine so I decided to ask help.
eth0 is my Internet Interface (1.2.3.4 is the public ip)
eth1 is my Lan Interface
eth2 is my DMZ Interface
[code]....
View 14 Replies
View Related
May 6, 2011
I have a server running debian squeeze and kvm to virtualize a Windoze box. It's setup to use NAT. This is because of limits on the network by the admin and unfortunately, there isn't a way to get around this.
View 1 Replies
View Related
Jun 16, 2011
how to set an external static IP address to forward to an internal static IP address. Here is an example:
Linux box (slackware) IP address =
eth0: 10.xxx.xxx.xxx (internal)
eth1: xxx.xxx.xxx.170
eth1.0: xxx.xxx.xxx.171
eth1.1: xxx.xxx.xxx.172
DVR system that I need to forward to: IP address =
xxx.xxx.xxx.251
xxx.xxx.xxx.252
This was all setup by someone else whom I have never spoken with. The IP tables seems to be set up but I cannot provide a screen shot at this time. What I need to do is this. When a user connects to the external static IP address of xxx.xxx.xxx.171 with their DVR software, IP tables will forward to the DVR system at xxx.xxx.xxx.251. The ports desired are 554,555,556, and 557. I know some about Linux but not about IPtables.
View 1 Replies
View Related
Apr 26, 2011
I'm trying to get https/443 traffic go through squid.
View 3 Replies
View Related
Jan 26, 2010
Here is my network diagram ADSL router----firewall--LAN inside the LAN my squid is running. currently all users are working with out proxy server. I installed the proxy server inside the LAN. now all users can access web browsing ,but no other ports are working , like POP3, smtp, then some other TCP port based applications are not working. My firewall ( juniper) is created and tested the rules to allow the POP3 and smtp and selected poprts which is working , but I redirected through squid proxy server the clients are not able to access. where do I have to create rules?
** in squid proxy( i already did in safe port list stillnot working)
** IP tables?
View 6 Replies
View Related
Feb 20, 2010
iam using arno iptables can give me command to ip forwarding cause my web server behind my router. my ip web server 192.168.0.11 and my ip router on eth 1 192.168.0.1 and eth0 i use to dial up my modem and i use pppoe for that.
View 2 Replies
View Related
Sep 5, 2010
I've got two virtual machines running, the first VM (VM1) has two network interfaces, one bridged with my real lan, one a private subnet. The second VM (VM2) has one nic, only on the private subnet.
I have VM1 acting as a router for VM2, giving access to my real lan for internet access. The problem I'm having is I cannot get VM1 to forward ports 80 (http) or 222 (ssh) to VM2 from my real lan.
Here is the script I've cobbled together from various (foreshadowing!) locations:
Code:
View 1 Replies
View Related
Mar 8, 2011
I've been beating myself over the head with iptables and CANNOT get port forwarding to work. Here's my situation: Static LAN IP on eth0 Static internet IP on eth1 ip_forward is turned on by uncommenting in sysctl.conf Here's the output of iptables-save:
Code:
# Generated by iptables-save v1.4.4 on Tue Mar 8 10:34:12 2011
*nat
:PREROUTING ACCEPT [2443:347058]
[Code]...
Edit: by the way, the intended purpose of this machine is to server as a gateway and firewall. MASQUERADE is working, for whatever that is worth. And the host behind the firewall that is serving up http is definitely working too. All that is not working is getting hosts on the internet talking to hosts behind the firewall.
View 1 Replies
View Related
Jan 28, 2011
I've used iptables since it replace ipchains, and I've never had a problem like this.The problem is, as you can see by the title, that port forwarding simply does not work.
network topology:
Slackware Linux Server:
eth0 - LAN (192.168.0.0/25)
eth1 - DSL Static IP
eth2 - cable Static IP
eth1 is our standard office connection; it handles all of our default traffic (web browsing for the staff, email, etc). eth2 is our VPN connection, as well as use for all incoming connections (www, etc). Behind the linux box I have a series of Windows Server 2008 R2 boxes that are used to run our office software, website, etc - I don't care how nice they make their products these days, I simply don't trust any MS box open to the net.
Therefore, this leaves me with having to port forward port 80 from eth2 to the internal IP address of the web server.
My ruleset is as follows:
$WWW - ip address of the web server
iptables -A FORWARD -d $WWW -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to $WWW
Running ip route shows that I have routing entries for all 3 networks, and I can ping, ssh, etc to any of the addresses without issue. OpenVPN connects across eth2 as well, and all 15 of my VPN tunnels work fine. However - and here's the kicker - if I delete the default route and replace it with the route for eth2, port forwarding works fine.
If we accept that my networks are as follows:
192.168.0.0/25 - eth0 net, gw .1
1.1.1.0/29 - eth1 net, gw .1, eth1 ip .2
2.2.2.0/30 - eth2 net, gw .1, eth2 ip .2
then ip route reveals the following:
2.2.2.0 via 2.2.2.1 dev eth2
2.2.2.0 dev eth2 scope link src 2.2.2.2
1.1.1.0 dev eth1 scope link src 1.1.1.2
[code]....
View 7 Replies
View Related
Aug 3, 2010
I have a linux server I'm intending to use as a firewall. The server has the following adapters
eth0 - Public IP (VLAN2)
eth0:1 - Public IP2 (VLAN2)
eth1 - 10.241.4.4 (VLAN4)
the Default gateway is my ISPs gateway. Additionally, I have the following route set: route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.241.4.1
I have a server that exists on VLAN 208 at IP 10.241.209.67/21., its GW is 10.241.208.1 (first IP in /21 range)
as it is on the 10.0.0.0/8 network, traffic from the firewall is successfully routed from that server through my router to the FW and out to the Internet. The FW can ping, ssh, etc... the server and vice versa.
I want an iptables rule that will allow me to forward port 4401 on eth0:1 to 10.241.209.67:4401.
Is this possible since the IP is not on the same subnet as eth1, even though it is accessible?
I'm a bit better than a neophyte linux user. I have not made port forwards with it in the past without scripts to assist so I'm looking for not just "it is possible", but also the syntax of how to add it.
View 2 Replies
View Related
Mar 26, 2010
I have the following setup and Im trying to forward all incoming connection on port 1194 on eth2 which is the external network to ip 192.168.10.100, but seems its not working.
Current config:
# Generated by iptables-save v1.3.8 on Sun Nov 16 00:00:54 2008
*nat
:PREROUTING ACCEPT [26751696:2175544875]
:POSTROUTING ACCEPT [339911:19096812]
[code]....
plus im adding the prerouting:
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 1194 -j DNAT --to-destination 192.168.10.100
This configuration doesnt work. I also I have tried:
iptables -D PREROUTING -t nat -p tcp -d XX.XX.XX.XX --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.10.100:1194
and the same its not working. Connecting thru telnet to the domain: telnet mydomain.org 1194 doesnt work, but within the server, running telnet 192.168.10.100 1194 it works.
View 8 Replies
View Related
Oct 24, 2010
I had to add them to my firewall script when I installed openvpn on my dd-wrt router:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
what should I add/change to set up port forwarding of port 1000 to ip 192.168.1.200. also how to get the answer sent by 192.168.1.200 follow the same route used by the data received through port forwarding.
View 1 Replies
View Related
May 6, 2011
I have set up squid3 and dhcp server on my Ubuntu 10.04 box with IP address of 192.168.0.160. Single network card.Squid runs on port 3148. Everything works fine for the users provided that I set up the proxy details manually on each client pc.I want to set up the Squid to run as a transparent proxy and after reading around I have done the following.In the Squid3 conf file I have entered http_port 3148 transparent.Dropping to Root ( sudo -i )However the transparent proxy does not work and if I enter iptables -L I can see that the rule above has not been retained. The default rules in iptables only show up.
View 5 Replies
View Related
Feb 18, 2010
I was trying to setup port forwarding on my setup. My network consists of:
Code:
[Server: xxx.xxx.xxx.15]
|
|
[ switch ]
[code]....
I ran the following 2 commands:
# iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination xxx.xxx.xxx.15:80
# iptables -A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
Yet I am unable to connect. Are these the correct commands? I am using IP Masquedering on the same box using the following commands:
Code:
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
[code]....
I don't think there is a hidden firewall in the switch but if these commands are correct, then I may need to contact my ISP and see if they are blocking the commands. I just wanted to make sure I was not doing some stupid mistake before I try to contact my ISP.
EDIT: Also, is it possible to forward Port 80 requests to different servers depending on the hostname used to connect, so say [URL] redirects to server xxx.xxx.xxx.15 while hhh.com redirects to xxx.xxx.xxx.16?
View 3 Replies
View Related
Jun 1, 2010
Im running a web server on port80, but i want traffic coming from ip 212.333.111.222 on port 80 to be fowarded to port 9020 on the same server that my web server is rinning at that is my sshd port
View 1 Replies
View Related
Apr 20, 2011
I have a computer with two interfaces eth0(LAN) and eth1(WAN).I have followed some guides on the internet and came up with this iptables configuration:
# Generated by iptables-save v1.4.4 on Wed Apr 20 09:43:12 2011
*nat
:OUTPUT ACCEPT [0:0]
[code].....
View 2 Replies
View Related
May 19, 2010
I'm using a Debian box as a gateway. I'm planning on bridging my DLink 604T modem/router so that traffic on the LAN goes to my gateway (which only has one NIC). The Debian box is running a PPPoe application which I'm hoping to log into the ISP through the DLink. I plan to configure the box as a squid transparent proxy. Most Howtos I've seen use NAT with 2 NICs, eth0 for the LAN and eth1 for the Internet. Any step-through to set up NAT for this?
View 4 Replies
View Related
Oct 2, 2010
How do I setup Self Port Forwarding on Fedora 13 x64 How Port Forwarding Works Port forwarding allows access to a local area network by a remote user through forwarding ports that provide ftp access and web server access. The operating systems use a kernel or ipfirewall to carry out the port forwarding process.
There are several different ways that port forwarding is accomplished. * Self Forwarding: Self forwarding is port forwarding that is accomplished on a local area network that has multiple computers connected to the network. Since all of the computers share the same IP address, the port forwarding must be conducted within each computer on its own system. If the local area network router has a network access translator then the computers that are connected to the router must also do port forwarding within their own system.Port forwarding can be accomplished with Unix systems however the port can only be accessed by the root administrator. This is a less common method of port forwarding due to the fact that using a root administrator poses risks to the system because the users will often take a detour to a higher port number to gain faster access to the server.Double port forwarding involves the use of multiple routers that join computers on a local area network. As a result, the ports on one router are forwarded to another router that acts as a gateway. The gateway router then forwards to a host on the local area network (LAN). This type of port forwarding involves the communication of several components which include the session server, session client, and session port. When the user establishes a connection the session server will connect to one of the session ports that are to be forwarded which will in turn, forward the port to the session client. Reverse port forwarding is used when access is required to a port that is protected behind a firewall.
While port forwarding is convenient, there are a few things to be aware of when using this type of technology. If you use port forwarding only one port can be used at a time and the machine that is receiving the port forwarding can only view the information as coming from the router instead of the original machine. Additionally, port forwarding can open up network access to other machines that may be able to find the port forwarding by gaining unauthorized access. I know how to setup port forwarding in my router along with Dyndns.org free ED, but my local area network has multiple computers connected to the network on my router. All of the computers share the same external (public) dynamic IP address; when I setup port forwarding only my Web Server can access the internet, so how do I setup Self Port Forwarding on Fedora 13 x64
[Code]...
View 4 Replies
View Related
Jul 29, 2011
i need to setup port forwarding on my server (i have it running ubuntu 11.04 desktop) so i can host a minecraft server.
View 1 Replies
View Related
Apr 11, 2010
I just made a script to install a Transparent Proxy with DHCP Server, Content Filtering and Webmin. It installs and configures the modules and starts them. I can use from two to five interfaces (eth0, eth1, eth2, eth3 & eth4). I've tested in 8.04 to 9.10 and works fine. It does not configures BIND and IPTABLES, just install all the modules needed for a transparent proxy, and configures DHCP, SQUID, DANSGUARDIAN and WEBMIN for Ubuntu. I did it because mostly all configurations I do are transparent proxies.
What does:
1. Installs many packages needed for transparent proxies, and webmin. Also installs perl modules needed.
2. Configures default Squid settings for transparent proxies, and a better Dansguardian content filtering for public access.
3. Configures and fixes Webmin DHCP and Dansguardian modules to work on Ubuntu.
4. Configures DHCP Server subnets.
What doesn't:
1. IPTABLES and BIND. You must configure both manually. IPTABLES can be configured with Firewall Builder or other firewall tool. BIND can be configured using Webmin or the CLI.
2. Configures /etc/network/interfaces. You must configure all network interfaces correctly. Any mistake can screw the automatic configuration.
3. Dansguardian Blacklists. You must use your prefered blacklists. I use URLBigBlacklist with a modified script to work on Ubuntu (downloaded from Danguardians' Extras and fixed up to work on Ubuntu).
4. Check the script if there's something missing.
View 1 Replies
View Related
