RE: Differentiating direct, and redirected access?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Hello all,
>
> I'm running a squid at port 3128 as a transparent proxy.
>
> There are requests coming directly to 3128 port and
> those coming to 80 port and then redirected to 3128 by
> following rule:
>
> -t nat -A PREROUTING -i eth0 -p tcp -m tcp \
>    --dport 80 -j REDIRECT --to-ports 3128
>
> What I want is block direct requests to 3128, allowing
> redirected access (transparent proxy) only. How do I do it?
>
> If I just set up a rule in filter chain like:
>
> -t filter -A INPUT -i eth0 -p tcp -m tcp \\
>    --dport 3128 -j DROP
>
> Those requests redirected from port 80 to 3128 are also
> blocked by this rule. It seems that the redirected packets
> come in to this chain once again with the new port number.
>
> How can I differentiate these two different kinds of
> request? Any clue will be greatly appreciated.
>
> Jinsuk Kim

mark the packets that will get redirected, and only accept them if they
have the mark:

  # mark packets with dst port 80
  iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 \
    -j MARK --set-mark 1

  # redirect port 80 to 3128
  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
    -j REDIRECT --to-ports 3128

  # accept packets to 3128 that have the mark
  iptables -A INPUT -i eth0 -p tcp --dport 3128 -m mark --mark 1 \
    -j ACCEPT

-j



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux