a problem with nat table setting

Hi,

I am having a problem with the nat table configuration. I am using
2.6.8.1 kernel in a router and also added a http filter proxy which
uses port 8080.

Internet ------------ ROUTER(http filter proxy) ---------linux PC.
lan ip: 192.168.1.1
192.168.1.2

I have found that if there is a established connection exist between
linux PC and the webserver before I start the proxy, and added the
iptables nat rules, which can be checked use netstat, the outgoing
http packet will not be passed to the proxy, and it seems go out
directly. If I leave it untouched (no http activity), and after some
time later, that connection is gone, the outgoing http packet will be
passed to the proxy again.

Any one know how to solve this problem?

Thanks.

Yong

Here is the iptables configure:
1. only the one in nat PREROUTING REDIRECT are for the proxy)
2. ppp0 is wan interface br0 is lan interface. PC is attached to
br0.

# iptables -L -v
Chain INPUT (policy ACCEPT 3574 packets, 11M bytes)
pkts bytes target prot opt in out source
destination
22 7554 ACCEPT all -- ppp0 any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT udp -- ppp0 any anywhere
anywhere udp dpt:500
0 0 ACCEPT esp -- ppp0 any anywhere
anywhere
0 0 ACCEPT !esp -- ppp0 any anywhere
anywhere MARK match 0x10000000/0x10000000
0 0 LOG tcp -- ppp0 any anywhere
anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst
5 LOG level alert prefix `Intrusion -> '
0 0 DROP all -- ppp0 any anywhere
anywhere

Chain FORWARD (policy ACCEPT 43 packets, 13943 bytes)
pkts bytes target prot opt in out source
destination
37 15118 ACCEPT all -- ppp0 any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT !esp -- ppp0 any anywhere
anywhere MARK match 0x10000000/0x10000000
0 0 LOG tcp -- ppp0 any anywhere
anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst
5 LOG level alert prefix `Intrusion -> '
0 0 DROP all -- ppp0 any anywhere
anywhere

Chain OUTPUT (policy ACCEPT 3456 packets, 11M bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- any ppp0 anywhere
239.255.255.250


# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 84 packets, 5865 bytes)
pkts bytes target prot opt in out source
destination
2 120 REDIRECT tcp -- br0 any anywhere
!192.168.1.1 tcp dpt:www redir ports 8080
2 118 DNAT udp -- br0 any anywhere
192.168.1.1 udp dpt:domain to:10.250.1.10

Chain POSTROUTING (policy ACCEPT 28 packets, 1822 bytes)
pkts bytes target prot opt in out source
destination
3 178 MASQUERADE all -- any ppp0 192.168.1.0/24
anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
#

if i understand correctly you want to put your linux box between your
DSL and yur network. Without filtering software, the easiest way to do
this (and the way i do it), is to bridge your two NICs using brctl.
after this ifconfig eth1 and eth0 to set their IPs to 0.0.0.0 and
ifconfig your bridge to the ip address you want the linux box to be.

Then compile and install squid and activate http accelerator with
caching.

Then redirect the packets to the proxy using iptables and the director
-t nat and -j REDIRECT to your proxy 8080.

You should then be able to transparently use the gateway and use the
proxy.

I hope this'll help.

constant meiring

Thanks for the reply.

That router is an embedded linux device which will work as a gateway.
The current problem is related to iptables.

If a http connection is established before the proxy is started, and
iptables is used to redirect to proxy port 8080, its traffic will
continue using the old port (80) after you enabled the proxy/iptable
redirect.

Yong