[CentOS] Iptables Question

Joseph L. Casale JCasale at activenetwerx.com
Wed Dec 10 20:22:36 UTC 2008


I have a squid proxy running transparently, so in my firewall script
I run the following fairly early:

iptables -A PREROUTING -t nat -i $LAN -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 3128

This is a multihomed server so after this change the masquerading was
removed (as only web access on the lan side of this server was needed).

I now need to masq cleanly one device so that it can bypass the squid
proxy. As order is important, would it be correct to put the following
_in front_ of the PREROUTING command above:

iptables -A POSTROUTING -t nat -o $WAN -j MASQUERADE
iptables -A FORWARD -i $LAN -o $WAN -m mac --mac-source <mac addr> -m state --state NEW,ESTABLISHED,RELATED -p tcp -m multiport --dports 443 -j ACCEPT
iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT

Where is the best place to filter for the mac in this scenario? I am hoping
anything w/o this mac will skip the whole masq setup and enter the PREROUTING
command below, resulting in the traffic being proxied through squid.

Thanks!
jlc


More information about the CentOS mailing list