我无法find正确的iptables线路。
我有一个有一个或多个WLAN客户端(wlan0 / 10.13.37.x)的路由器。 eth0连接到互联网(通过其他路由器)。 Squid可以通过VPN访问(tun0 / 172.27.0.1)。
所有通过路由器的http请求都应该redirect到172.27.0.1:8080。
Squid被设置为透明代理。
谢谢
# Generated by iptables-save v1.4.13 on Tue Apr 24 00:45:14 2012 *nat :PREROUTING ACCEPT [1:328] :POSTROUTING ACCEPT [3:164] :OUTPUT ACCEPT [3:164] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Tue Apr 24 00:45:14 2012 # Generated by iptables-save v1.4.13 on Tue Apr 24 00:45:14 2012 *filter :INPUT ACCEPT [50:6468] :FORWARD DROP [0:0] :OUTPUT ACCEPT [149:28841] -A INPUT -i lo -j ACCEPT -A INPUT -i wlan0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i wlan0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i tun0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 222 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT -A INPUT -p udp -m udp --dport 123 -j ACCEPT -A INPUT -i tun0 -p tcp -m tcp --dport 4949 -j ACCEPT -A INPUT -p tcp -m tcp --dport 0:1023 -j DROP -A INPUT -p udp -m udp --dport 0:1023 -j DROP -A INPUT -p tcp -m tcp --dport 4949 -j DROP -A FORWARD -d 10.13.37.0/24 -i wlan0 -j DROP -A FORWARD -s 10.13.37.0/24 -i wlan0 -j ACCEPT -A FORWARD -d 10.13.37.0/24 -i eth0 -j ACCEPT COMMIT # Completed on Tue Apr 24 00:45:14 2012 纯iptables解决scheme:
# redirect to squid iptables -t nat -A PREROUTING --src 10.13.37.0/24 -p tcp -m tcp --dport http \ -j DNAT --to-destination 172.27.0.1:8080 # route clients to squid sysctl -w net.ipv4.ip_forward=1 iptables -t filter -I FORWARD --src 10.13.37.0/24 --dst 172.27.0.1 \ -p tcp -m tcp --dport 8080 \ -j ACCEPT iptables -t filter -I FORWARD -m conntrack --ctstate ESTABLISHED,RELATED \ -j ACCEPT # masquerade (snat) clients in case the VPN doesn't know about the LAN iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
另一种基于iptables和socat的解决scheme,如果你不想用太多的iptables:
iptables -t nat -A PREROUTING --src 10.13.37.0/24 -p tcp -m tcp --dport http \ -j REDIRECT --to-ports 8080 socat TCP4-LISTEN:8080,bind=127.0.0.1,fork TCP4:172.27.0.1:8080