Manualshelf

Technical data

ManualsBrandsSamsung ManualsFlat Panel TVPC680-ZA
61626364656667686970
3. Base configuration
PF_POSTROUTING_x='any @proxy:3128 SNAT:IP_NET_1_IPADDR'
# change all packets to port 3128 in a way as if they came from
# fli4l (IP_NET_1_IPADDR)
PF_FORWARD_x='prot:tcp @proxy 80 ACCEPT'
# let HTTP-packets from the proxy pass the FORWARD-chain (if necessary)
...
If more nets or conflicting port forwardings (which are also DNAT-rules) exist, the rules may
have to be more differentiated.
Example 2: Our proxy by the name of proxy resides in IP_NET_1, listens to port 3128 and
should only serve clients from IP_NET_1. IP_NET_1 is reachabel over IP_NET_1_DEV. Packets from
other nets should not be considered.
...
PF_PREROUTING_x='if:IP_NET_1_DEV:any !@proxy 80 DNAT:@proxy:3128'
# Redirect queries to the HTTP-port that do not emerge from the proxy but
# come in on an internal interface (IP_NET_1_DEV) to the proxy's port.
# At this point it is important to check with if:IP_NET_1_DEV:any that the
# packets are coming from inside because otherwise packets from outside
# would also be redirected (security breakage)
PF_POSTROUTING_x='prot:tcp IP_NET_1 @proxy:3128 SNAT:IP_NET_1_IPADDR'
# Change HTTP-packets originating from IP_NET_1 and destinated to proxy-port 3128
# in a way as if they came from fli4l (IP_NET_1_IPADDR)
PF_FORWARD_x='prot:tcp @proxy 80 ACCEPT'
# let HTTP-packets from the proxy pass the FORWARD-chain (if necessary)
...
Example 3: To ease our live and shorten the rules we may use templates (see Using Templates
With The Packet Filter (Page 48)). At this point tmpl:http, translated in prot:tcp any
any:80 is of advantage. tmpl:http IP_NET_1 DNAT:@proxy:3128 then changes to prot:tcp
IP_NET_1 80 DNAT:@proxy:3128.
Both IP_NET_1 and IP_NET_2 should be redirected transparently over the proxy. Simplified
you could write:
...
PF_PREROUTING_x='tmpl:http @proxy ACCEPT'
# HTTP-packets from the proxy should not be redirected
PF_PREROUTING_x='tmpl:http IP_NET_1 DNAT:@proxy:3128'
# HTTP-packets from IP_NET_1 should be redirected
PF_PREROUTING_x='tmpl:http IP_NET_2 DNAT:@proxy:3128'
# HTTP-packets from IP_NET_2 should be redirected
PF_POSTROUTING_x='IP_NET_1 @proxy:3128 SNAT:IP_NET_1_IPADDR'
PF_POSTROUTING_x='IP_NET_2 @proxy:3128 SNAT:IP_NET_2_IPADDR'
PF_FORWARD_x='tmpl:http @proxy ACCEPT'
...
65