[sf-lug] iptables and multiple NAT network?

Jason Turner jturner at nonzerosums.org
Wed Aug 29 16:29:19 PDT 2007

Sketch of network in question,

Hello folks.  It would probably be helpful to see the pic  above.  We  
have a network server with two interfaces,

eth1(192.168.1) connects to a DSL modem/router
eth0(192.168.0) serves up dhcp and who knows what(in the future) to a  
lab of edubuntu machines.

In an attempt to sanitize web results, we've tried to add DansGuardian 
(http://dansguardian.org/) and web proxying to the mix.  The attempt  
made use of iptables on the server to redirect all web(or port 80)  
outgoing traffic.  Yes, 443 and others represent possible gaps in  
this "strategy"...

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 8080

Perhaps already obvious to some, long story short this does not  
work.  My memory may not be entirely correct here(so I hope others  
chime in with any corrections/clarifications) but it seemed that  
filtering WAS working.  Trying to surf to DG-recognized "naughty"  
places gave the correct block message.  However, surfing to any place  
else was also blocked too... with an HTTP error? (my memory fails  
here)  And I'm talking about surfing from the lab machines.  Surfing  
directly from the server seemed to work correctly.

*So, I'm seeking guidance about how to correctly set something like  
this up in a network like the one outlined above.*  Additional bits  
about better ways to achieve the aim of filtering are appreciated  
too.  While children were the audience in mind, perhaps we should use  
a more flexible configuration?  BTW, the server is setup with default  
gateway router).

Ladies, Gents.  Please school me in this confusing art.  Any help  

More information about the sf-lug mailing list