Hallo zusammen, ich möchte mein Firewall Skript um einen Transparenten Proxy erweitern. D.h. jeder Client der ne anfrage an den router auf port 80 (an eth0) stellt wird umgeleitet auf port 3128 also den squid proxy wie mache ich das ?? anbei mein Skript Mfg Tobi #! /bin/sh # # Author: Tobias Korb # # init.d/maske # # and symbolic its link # # /sbin/rcmaske # # System startup script for Masquerading # ### BEGIN INIT INFO # Provides: maske # Required-Start: serial # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: # Description: Start simple Firewall- Skript ### END INIT INFO # Source SuSE config . /etc/rc.config # die folgende Datei muss extra angelegt werden mit dem Inhalt: # START_MASKE="yes" . /etc/rc.config.local # Determine the base and follow a runlevel link name. base=${0##*/} link=${base#*[SK][0-9][0-9]} # Force execution if not called by a runlevel directory. test $link = $base && START_MASKE=yes test "$START_MASKE" = yes || exit 0 IPTABLES=/usr/sbin/iptables MODPROBE=/sbin/modprobe test -x $IPTABLES || exit 5 test -x $MODPROBE || exit 5 . /etc/rc.status rc_reset # Anpassung an das Interface (hier DSL oder Modem) fw_dev="ppp0" case "$1" in start) echo -n "Starting Maske Firewall Skript" $MODPROBE iptable_nat $MODPROBE ip_nat_ftp $MODPROBE ip_conntrack $MODPROBE ip_conntrack_ftp $IPTABLES -F $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $IPTABLES -A INPUT -i $fw_dev -p icmp --icmp-type echo-request -m limit --limit 1/sec -j ACCEPT $IPTABLES -A INPUT -i $fw_dev -p tcp --dport 22 -m limit --limit 1/sec -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i $fw_dev -p tcp --dport 21 -m limit --limit 1/sec -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i $fw_dev -p tcp --dport 25 -j ACCEPT $IPTABLES -A INPUT -i $fw_dev -p tcp --dport 80 -j ACCEPT $IPTABLES -A INPUT -i $fw_dev -p icmp --icmp-type destination-unreachable -j ACCEPT # $IPTABLES -A OUTPUT -o $fw_dev -p tcp --dport 80 -j REDIRECT --to-port 3128 $IPTABLES -A OUTPUT -o $fw_dev -p tcp --dport 137:139 -j DROP $IPTABLES -A OUTPUT -o $fw_dev -p udp --dport 137:139 -j DROP $IPTABLES -A FORWARD -o $fw_dev -p tcp --dport 137:139 -j DROP $IPTABLES -A FORWARD -o $fw_dev -p udp --dport 137:139 -j DROP $IPTABLES -N block $IPTABLES -A block -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A block -m state --state NEW -i ! $fw_dev -j ACCEPT $IPTABLES -A block -j DROP $IPTABLES -A INPUT -j block $IPTABLES -A FORWARD -j block # $IPTABLES -t nat -A POSTROUTING -o $fw_dev -j MASQUERADE # $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp \ --dport 80 -j REDIRECT --to-port 3128 # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down Maske Skript" $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -X # Remember status and be verbose rc_status -v ;; try-restart) ## Stop the service and if this succeeds (i.e. the ## service was running before), start it again. ## Note: try-restart is not (yet) part of LSB (as of 0.7.5) $0 status >/dev/null && $0 restart # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; force-reload) ## Signal the daemon to reload its config. Most daemons ## do this on signal 1 (SIGHUP). ## If it does not support it, restart. echo -n "Reload service MASKE" ## if it supports it: # killproc -HUP $FOO_BIN # touch /var/run/FOO.pid # rc_status -v ## Otherwise: $0 stop && $0 start rc_status ;; reload) ## Like force-reload, but if daemon does not support ## signalling, do nothing (!) # If it supports signalling: # echo -n "Reload service FOO" # killproc -HUP $FOO_BIN #touch /var/run/FOO.pid # rc_status -v ## Otherwise if it does not support reload: rc_failed 3 rc_status -v ;; status) echo "Maske Rules: " $IPTABLES -v -L $IPTABLES -v -t nat -L echo -n "Status of MASKE Skript" rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, ## give out the argument which is required for a reload. # test /etc/FOO/FOO.conf -nt /var/run/FOO.pid && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit