(E-Mail Removed) wrote:
> On 21 Maj, 16:23, Tauno Voipio <tauno.voi...@INVALIDiki.fi> wrote:
>> magnus.morab...@gmail.com wrote:
>>> Hi there,
>>> I have a linux machine which is routed via eth0 to "network A" and via
>>> eth1 to "networkB".
>>> I wish for clients in "network A" to access content on a webserver
>>> located in "network B".
>>> The protocols I wish to support are Http (80) and Https (443).
>>> Firewalls exist between my linux machine and networks A, and between
>>> my linux machine and network B.
>>> I have added networks A and B to my linux machine's routing table and
>>> I can now ping from a machine in network A to the linux machine, and
>>> from the linux machine to the web server on network B.
>>> The firewalls are configured to only accept traffic via port 80 and
>>> 443.
>>> So my question is, how do I connect network A and B? I have installed
>>> squid on the linux machine and it is my understanding that if I
>>> configure it as a tunneling server, listening on ports 80 and 443,
>>> that this will achieve what I'm after. Is this correct?
>>> BTW, I am not interested in doing any kind of caching with squid. The
>>> version of squid I have is version 2.5.STABLE.
>>> At the moment the only configuring of squid that I have done is to
>>> have it listen on port 80. When I telnet to the linux machine on port
>>> 80 from a machine in network A, I am receiving a squid generated web
>>> page.
>>> Any advice or suggestions are welcome,
>>> Thanks for your help,
>>> Barry
>> You can do the requested functions without Squid by
>> using iptables to allow IP forwarding for TCP ports
>> 80 and 443 only and disallowing others. You have to
>> remember to turn IP forwarding on after setting up
>> the firewall rules.
>>
>> Documentation for setting up the filters are to be
>> found at <http://www.netfilter.org/>. There is more
>> than you'll need.
>>
>> --
>>
>> Tauno Voipio
>> tauno voipio (at) iki fi
>
> Thanks very much for that tip! Would the following code archive what
> I'm after, ignoring the fact that it will allow all tcp ports?
>
> #!/bin/sh
>
> PATH=/usr/sbin:/sbin:/bin:/usr/bin
>
> #
> # delete all existing rules.
> #
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -X
>
> # Always accept loopback traffic
> iptables -A INPUT -i lo -j ACCEPT
>
>
> # Allow established connections, and those not coming from network B
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth0 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> # Allow outgoing connections from network A
> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> # Don't forward from the network b to network a
> iptables -A FORWARD -i eth1 -o eth1 -j REJECT
>
> # Enable routing.
> echo 1 > /proc/sys/net/ipv4/ip_forward
It seems to me that you have some contents of the
chains INPUT and FORWARD mixed up.
Please read again the definitions of the chains from
the documents.
I do not see how a forwarded connection could ever be
initiated. Another problem is that you're disallowing
return traffic from the servers to the clients. Note
that for every TCP connection there is a flow of response
packets which must be forwarded as well.
Please repeat the rules you would like to have, with
references to the Ethernet interfaces. Also, describe
which of the packets should end up in the Linux machine
and which to the server elsewhere.
The general prohibition for forwarding is easiest to
set up as the base policy of the FORWARD chain.
--
Tauno Voipio
Similar Threads
Linear Mode
