Re: [Linux-ag] Dmz li firewall da Transparent Proxy sorunu

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view	Attachment view

From: mesut guler (mesut@egemenyazilim.com)
Date: Mon 18 Oct 2004 - 14:20:07 EEST

Previous message: cem es: "RE: [Linux-ag] Dmz li firewall da Transparent Proxy sorunu"
In reply to: cem es: "[Linux-ag] Dmz li firewall da Transparent Proxy sorunu"

cem es wrote:

> Merhabalar
>
> Iptables ile Dmz'li bir firewall olusturdum internet paylasimi ve
> disardan erisim istedigim gibi calisiyor tek sorunum transparent
> proxy, squid tek basina sorunsuz calisiyor ama asagidaki kodda en alt
> satırdaki 80 portuna gelen istekleri 3128 portuna yönlendirdigimde
> istemciler web sayfalarina ulasamiyor.
> INPUT kuralini ACCEPT yaptigimda ise transparent proxy calismaya
> basliyor benim anladigim INPUT kurali ile ilgili bir sorun var ama 80
> portu zaten acik. Yardimci olursaniz sevinirim
>
> # Disable forwarding
> echo 0 > /proc/sys/net/ipv4/ip_forward
>
> DMZ_IP_NET='192.168.2.1/24'
> DMZ_NIC='eth0'
>
> LAN_IP_NET='192.168.0.1/24'
> LAN_NIC='eth2'
>
> # load some modules (if needed)
> modprobe ip_nat_ftp
> modprobe ip_conntrack_ftp
>
> # Flush
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
> iptables -t nat -F OUTPUT
> iptables -F
>
> iptables -P INPUT DROP
> #iptables -P INPUT ACCEPT
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
>
> # Enable forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables -t nat -A POSTROUTING -s $DMZ_IP_NET -j MASQUERADE
> iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
>
> iptables -A FORWARD -j ACCEPT -i $DMZ_NIC -s $DMZ_IP_NET
> iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
>
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Open ports on router for server/services
> iptables -A INPUT -j ACCEPT -p tcp --dport
> 80 #HTTP
> iptables -A INPUT -j ACCEPT -p tcp --dport
> 3389 #TS
> iptables -A INPUT -j ACCEPT -p tcp --dport
> 21 #FTP
> iptables -A INPUT -j ACCEPT -p tcp --dport
> 22 #SSH
>
> # STATE RELATED for router
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Open ports to server on DMZ
> iptables -A FORWARD -j ACCEPT -p tcp --dport 80
> iptables -A FORWARD -j ACCEPT -p tcp --dport 3389
> iptables -A FORWARD -j ACCEPT -p tcp --dport 21
>
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
> 192.168.2.200:80
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3389 -j DNAT --to
> 192.168.2.200:3389
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to
> 192.168.2.200:21
>
> iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT
> --to 3128
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar - get it now!
> http://toolbar.msn.com/
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Linux-ag mailing list
>Linux-ag@liste.linux.org.tr
>http://liste.linux.org.tr/mailman/listinfo/linux-ag
>
>
once squid portuna izin vermeyi deneyin.
iptables -A INPUT -i eth2 -p tcp --dport 3128 -j ACCEPT

olmazsa INPUT chaini icin loopback arayuzune izin vermeyi deneyin.
iptables -A INPUT -i lo -j ACCEPT

ayrica squidguard yada loopback baglantisina ihtiyac duyan servisleriniz
varsa loopback arayuzune izin vermeniz gerekecektir.

iyi calismalar.

-- Mesut Guler Egemen Yazilim

_______________________________________________ Linux-ag mailing list Linux-ag@liste.linux.org.tr http://liste.linux.org.tr/mailman/listinfo/linux-ag

Previous message: cem es: "RE: [Linux-ag] Dmz li firewall da Transparent Proxy sorunu"
In reply to: cem es: "[Linux-ag] Dmz li firewall da Transparent Proxy sorunu"

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view	Attachment view

Bu arsiv hypermail 2.1.2 tarafindan uretilmistir.