Quero redirecionar o tráfego na minha rede LAN através do proxy squid, mas estou tendo alguns problemas com iptablesas regras.
Quando uso a seguinte regra:
# iptables -I FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.196:3128
Estou tendo o erro a seguir:
x_tables: ip_tables: DNAT target: only valid in nat table, not filter
Eu tentei usar PREROUTINGchain, mas não há nada parecido com isso em meus iptables:
# iptables -I PREROUTING -s 192.168.1.0/255.255.255.0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.196:3128
iptables: No chain/target/match by that name.
Estou usando a versão iptablesv.1.4.10
# iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
prerouting_rule all -- anywhere anywhere
zone_lan_prerouting all -- anywhere anywhere
zone_wan_prerouting all -- anywhere anywhere
meu todoiptables -nLv
root@OpenWrt:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
776 93902 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3231 164K syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
7098 429K input_rule all -- * * 0.0.0.0/0 0.0.0.0/0
7096 429K input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 MAC XX:XX:XX:XX:XX:XX udp spt:22509
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 MAC XX:XX:XX:XX:XX:XX tcp spts:59000:65399
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 MAC XX:XX:XX:XX:XX:XX udp spts:49950:65399
8271 3071K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
451 44484 forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0
451 44484 forward all -- * * 0.0.0.0/0 0.0.0.0/0
5 276 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7408 581K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
206 13814 output_rule all -- * * 0.0.0.0/0 0.0.0.0/0
206 13814 output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain forward (1 references)
pkts bytes target prot opt in out source destination
446 44208 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_forward all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain forwarding_lan (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan (1 references)
pkts bytes target prot opt in out source destination
Chain input (1 references)
pkts bytes target prot opt in out source destination
515 43070 zone_lan all -- br-lan * 0.0.0.0/0 0.0.0.0/0
6560 385K zone_wan all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain input_lan (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan (1 references)
pkts bytes target prot opt in out source destination
Chain output (1 references)
pkts bytes target prot opt in out source destination
206 13814 zone_lan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
203 13301 zone_wan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (5 references)
pkts bytes target prot opt in out source destination
3249 166K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
3257 198K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
3231 164K RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan (1 references)
pkts bytes target prot opt in out source destination
515 43070 input_lan all -- * * 0.0.0.0/0 0.0.0.0/0
515 43070 zone_lan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
3 513 ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0
515 43070 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-lan 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- br-lan * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * br-lan 0.0.0.0/0 0.0.0.0/0
5 272 reject all -- br-lan * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
446 44208 zone_wan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
5 272 forwarding_lan all -- * * 0.0.0.0/0 0.0.0.0/0
5 272 zone_lan_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan (1 references)
pkts bytes target prot opt in out source destination
64 21010 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
6496 364K input_wan all -- * * 0.0.0.0/0 0.0.0.0/0
6496 364K zone_wan_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
644 57237 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_REJECT (2 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * eth1 0.0.0.0/0 0.0.0.0/0
6496 364K reject all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wan all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Responder1
Você precisa especificar que a regra deve ir para a nattabela, além disso, os comandos DNAT precisam ir para a cadeia PREROUTING e você precisa ter cuidado para não gerar um loop.
iptables -t nat -I PREROUTING -i br-lan -s ! 192.168.1.196 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.196:3128
A tabela padrão é a filtertabela.
Não esqueça que você também precisa de MASQUERADE/SNAT para reescrever o endereço de origem:
iptables -t nat -I POSTROUTING -p tcp --dport 80 -j MASQUERADE
Este COMO FAZERfornece mais opções e explicações.