Technical data
3. Base configuration
Port Forwarding
Port forwarding can be accomplished with the PREROUTING-rules like this (TARGET refers to the
original target address (optional) and the original target port, NEW_TARGET refers to the new
target address and new target port (optional), PROTOCOL refers to the protocol in use):
TARGET='<port>'
NEW_TARGET='<ip>'
PROTOCOL='<proto>'
PF_PREROUTING_x='prot:<proto> dynamic:<port> DNAT:<ip>'
TARGET='<port1>-<port2>'
NEW_TARGET='<ip>'
PROTOCOL='<proto>'
PF_PREROUTING_x='prot:<proto> dynamic:<port1>-<port2> DNAT:<ip>'
TARGET='<ip>:<port-a>'
NEW_TARGET='<ip>:<port-b>'
PROTOCOL='<proto>'
PF_PREROUTING_x='prot:<proto> any <ip>:<port-a> DNAT:<ip>:<port-b>'
Transparent Proxy
If access to the Internet should only be allowed over a local proxy you may force this behaviour
by the help of the PREROUTING- and POSTROUTING-chains without the client noticing it. In
priciple you need to do this in three steps:
1. Redirect all HTTP-port-request to the Proxy except for its own ones (PREROUTING).
2. Change the redirected packets in a way that fools the proxy to think they all come from
the router so it will return its answers there (POSTROUTING).
3. Allow the packets to pass the FORWARD-chain, as far as an entry like
PF_FORWARD_x='IP_NET_1 ACCEPT'
does not exist (FORWARD).
Example 1: Let’s assume we only have one net IP_NET_1, a squid proxy is running there on a
host by the name of proxy and the whole http-traffic should be processed by it. Squid listens
on port 3128. For simplicity we refer via @proxy to the host entered in HOST_1_NAME='proxy'
(see Domain Configuration (Page 68)).
Here are the resulting rules:
...
PF_PREROUTING_x='@proxy ACCEPT'
# packets from the proxy should not be redirected
PF_PREROUTING_x='prot:tcp IP_NET_1 80 DNAT:@proxy:3128'
# HTTP-packets from IP_NET_1 will be redirected to @proxy, Port 3128
# independet of the target
64