2

following setup:

Client(Outlook) <-----> |eth1 PROXY eth0 | <------> Interwebs

How do i manage to do this? Setting the standard policy of all filter tables to ACCEPT doesnt change a thing, so is prerouting the way to go?

Greets, Kai

Kai
  • 177
  • 1
  • 3
  • 10
  • Are you using an actual proxy, or is the device labeled "PROXY" just a computer you're trying to use as a router with iptables? – NathanG Apr 23 '12 at 20:00

1 Answers1

2

You can use either a SOCKS proxy server or iptables and NAT for this.

I assume that your client host is within a local network and uses private IP addresses such as 10.0.0.0/8, 172.28.0.0/12 or 192.168.0.0/16.

Pre conditions:

  1. you can reach your client host from your Linux box
  2. you can reach the Internet from your Linux box

First step is to enable IP forwarding:

# set kernel flag to allow IP forwarding from one to another network device
echo 1 > /proc/sys/net/ipv4/ip_forward

Next step is to use iptables to activate NAT:

# enable NAT for Internet device (here eth0)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# accept incoming Internet traffic, which is related to established outgoing connection
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# enable forwarding from internal device eth1 to external device eth0
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

That's a really simple setup and I recommend to take a closer look into iptables to provide security to your LAN as well as access for your LAN to the Internet.

To limit access only to certain protocols (here SMTP, POP3, IMAP) you can use following setup:

# enable NAT for Internet device (here eth0)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# accept incoming Internet traffic, which is related to established outgoing connection
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# enable forwarding from internal device eth1 to external device eth0
iptables -A FORWARD -i eth1 --dport 25 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth1 --dport 110 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth1 --dport 143 -o eth0 -j ACCEPT
Jens Bradler
  • 6,133
  • 2
  • 16
  • 13
  • Thx for the answer, I assume if I want to forward just the ports necessary for email I take your rules an specify the ports? Also I assume that the preconditions change accordingly. Is this correct? – Kai Apr 24 '12 at 14:59
  • Yes it is. E.g. iptables -A FORWARD -i eth1 --dport 25 -o eth0 -j ACCEPT – Jens Bradler Apr 24 '12 at 18:18
  • Ok. Following question: When Outlook sends an internal package to eth1, the source being a client with 192.168.1.x - how does the package procede? eth1 doesnt have a gateway, and eth0 has IPs of the kind 192.168.0.x - its another subnet. Dont i have to route the package to eth0 (external,interwebs) first? – Kai Apr 24 '12 at 18:50
  • If eth0 is connected to a LAN 192.168.1.x and eth1 is connected to LAN 192.168.0.x I recommend to use routing instead of NAT. Do you reach the Internet from your proxy host/linux box? – Jens Bradler Apr 25 '12 at 07:38
  • If i would open the iptables, I would, yes. Squid is also currently working fine for port 80...I also considered routing (although i never tried it.) Is it possible to route single ports? – Kai Apr 25 '12 at 12:03
  • You can route an entire network and can limit access with a firewall (e.g. iptables). Routing is IP based, whereby ports are on TCP or UDP level. – Jens Bradler Apr 25 '12 at 14:47
  • I see! This is very helpfull. I assume there are lots of howtos on this. Thank you very much, my understanding has improved! – Kai Apr 25 '12 at 17:11