Updated Oct 11th, 2002
| Private Network: | 192.168.0.0/24 |
|---|---|
| External Network (DMZ): | 202.0.0.0/28 |
| CISCO Router (2600): | Ethernet0/0: 192.168.0.4 Etnernet0/1: 202.0.0.14 Serial0/0: HDLC (WAN) |
| The Internet Server1: | 202.0.0.1 (DNS, SMTP, POP3, PROXY) |
| The Internet Server2: | 202.0.0.2 (DNS, WWW, SYSLOG, NTP) |
On a Linux system with IPTables, and the proxy software installed locally you would simply need:gw#show running-config Building configuration... Current configuration : 3424 bytes ! version 12.1 service nagle no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log uptime service password-encryption ! hostname gw- ! boot system flash logging buffered 8192 debugging aaa new-model aaa authentication login default local enable enable secret 5 12345678901234567890 ! username user1 password 7 12345678901234567890 username user2 password 7 12345678901234567890 username user3 password 7 12345678901234567890 ! ! ! ! clock timezone BST 6 ip subnet-zero no ip source-route ip domain-list test.com ip domain-name test.com ip name-server 202.0.0.1 ip name-server 202.0.0.2 ! ! ! ! interface Ethernet0/0 description Private LAN ip address 192.168.0.4 255.255.255.0 no ip redirects no ip proxy-arp ip accounting access-violations ip nat inside no ip mroute-cache ip policy route-map proxy-redirect no cdp enable ! interface Serial0/0 description 64K HDLC link to ISP bandwidth 64 ip unnumbered Ethernet0/1 ip access-group 100 in ip access-group 101 out no ip redirects no ip proxy-arp ip accounting access-violations ip nat outside no ip mroute-cache down-when-looped no cdp enable ! interface Ethernet0/1 description External (DMZ) LAN ip address 202.0.0.14 255.255.255.240 no ip redirects no ip proxy-arp ip accounting access-violations no ip mroute-cache no cdp enable ! ip nat inside source list 1 interface Ethernet0/1 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 no ip http server ! logging facility local1 logging source-interface Ethernet0/1 logging 202.0.0.1 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 100 permit icmp any 202.0.0.0 0.0.0.15 access-list 100 permit tcp any 202.0.0.0 0.0.0.15 established access-list 100 permit tcp any 202.0.0.0 0.0.0.15 gt 1023 access-list 100 permit udp any 202.0.0.0 0.0.0.15 gt 1023 access-list 100 permit tcp any 202.0.0.1 0.0.0.0 eq domain access-list 100 permit udp any 202.0.0.1 0.0.0.0 eq domain access-list 100 permit tcp any 202.0.0.2 0.0.0.0 eq domain access-list 100 permit udp any 202.0.0.2 0.0.0.0 eq domain access-list 100 permit tcp any 202.0.0.1 0.0.0.0 eq smtp access-list 100 permit tcp any 202.0.0.1 0.0.0.0 eq pop3 access-list 100 permit tcp any 202.0.0.2 0.0.0.0 eq www access-list 100 deny tcp any 202.0.0.0 0.0.0.15 eq 2049 log access-list 100 deny udp any 202.0.0.0 0.0.0.15 eq 2049 log access-list 100 deny tcp any 202.0.0.0 0.0.0.15 eq 6000 log access-list 100 deny ip any any log access-list 101 permit ip 202.0.0.0 0.0.0.15 any access-list 101 deny ip any any log access-list 102 permit ip 202.0.0.0 0.0.0.15 any access-list 102 permit ip 192.168.0.0 0.0.0.255 any access-list 102 deny ip any any log access-list 110 deny tcp any any neq www access-list 110 deny tcp host 202.0.0.1 any access-list 110 permit tcp any any no cdp run route-map proxy-redirect permit 10 match ip address 110 set ip next-hop 202.0.0.1 ! snmp-server community public RO banner login ^C Welcome ^C ! line con 0 line aux 0 line vty 0 4 access-class 102 in exec-timeout 0 0 password 7 11111C0A19 transport input telnet transport output none ! ntp server 202.144.158.193 end
Or if the proxy is on a different system:iptables -A PREROUTING -s 192.168.0.0/28 -p tcp -m tcp \ --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 \ -i eth0 -j DNAT --to 202.0.0.2:8080
Or if you are using Delegate, nothing to changehttpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on