I have recently installed openSuSE 12.3 with two NICs to be used as External and Internal zones. I wished to use the Box as a proxy (squid). I have written acls in the squid.conf.
The problem is how to add the following 2 lines
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
where to add them and how to make it work.
Please help I have tried a lot but unable. Iptables-save works but iptables-restore get hangs.
I tried to change in the /sbin/SuSEfirewall2, no luck
I didnt get how that can be added through yast-firewall.
The openSUSE script is quite well documented - you should have a look at it:
/etc/sysconfig/
Please try and use CODE tags around commands.
Second, I would not mix self build firewall rules with the ones set through the openSUSE script’s one (SuSEFirewall2) - you risk getting your rules deleted when services will restart. Instead use the “custom rules” location.
So, what you try to achieve is possible by adding your own changes in the “custom rules” file (I do not remember it’s location now but I am sure it’s written in the script - see the second link below - there is a picture with “custom rules” in YaST) or… you can use the script’s built-in ‘redirect’ feature:
FW_REDIRECT="192.168.0.0/16,0/0,tcp,80,3128"
meaning: the network 192.168.0.0/16 sending requests through this machine to the “world” (0/0), on tcp port 80, will be redirected to this machine on port 3128
helped me to redirect to the squid. However, im wondering with a strange problem, that is, the squid blocks all the sites even the
#http_access deny all
is commented , and
http_access allow all
is without comment.
Tried many times, restarting squid after every changes i made, but no luck. Why this happens??
My squid.conf is like this:
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow all
# acl block src "/etc/squid/acls/blocked_sites.acls"
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
# Allow localhost always proxy functionality
http_access allow localhost
# And finally deny all other access to this proxy
# http_access deny block
# http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir aufs /var/cache/squid 100 16 256
First, I didn’t check your previous post so I do not know why adding transparent did help - double check that your proxy is NOT open wide since you will be prone to abuse (this unless you want to configure a proxy for internet users of course).
Second, please read again the docs you read already and the link I gave you and be sure you understand what your are doing.
Third, your rule does not work because you defined your ACL as source (“src”) and you actually want to block the destination (“dst”). - I think it’s actually dstdomain :):
As about the position: please read again the link doc I gave you - there is a paragraph there telling you where to put your rules “for the sake of readability” IIRC.
I wouldn’t go that way too much because it’s a **** hard work, instead I would suggest you have a look at squidGuard or other redirector and find some good block lists: Blacklists UT1 or use some paid ones.
