From: Tom E. <te...@sh...> - 2006-03-22 21:11:10
|
On Wednesday 22 March 2006 13:03, Tom Eastep wrote: > On Tuesday 21 March 2006 22:44, Jerry Vonau wrote: > > >>im trying with this rule: > > >> > > >>REDIRECT loc 8080 tcp www > > >> - !200.201.174.204,200.201.173.68,200.201.174.0/24,200.201.166.0/24 > > > > <snip> > > > > >That won't work for what you want, your tring to grab traffic that is > > > outbound from the firewall, that needs to be done in a output chain. > > > This requires you to use a dnat rule, give this a try: > > > > > >DNAT fw fw:192.168.0.254:8080 tcp 80 - =20 > > > 0.0.0.0/0 > > > > Just had a thought, you'd need to know which traffic is from squid, so > > that you don't get into a loop.... Above this rule you would need to ha= ve > > a rule that uses the -m owner / gid-owner routines in netfilter, this is > > done in shorewall with the USER/GROUP column in the rules file. See the > > rules file for more info. > > Or he could put "!squid" in the USER/GROUP column of his DNAT rule. > Assuming of course that Squid runs under the 'squid' user id. =2DTom =2D-=20 Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |