# IP Tables+single nic server=gateway?

## sven_sol

Hi all,

I'm pretty new to IPTables, and I'm struggling to get a few things working.  We have a server with lots of different services on there, i.e. Mail, Samba, WWW, Squid, DHCP etc etc etc..

Now, the question has been raised about making it into a transparent proxy to we can monitor peoples access through squid (and perhaps Dansguardian?)  I found this line:

```
iptables -I POSTROUTING -t nat -j MASQUERADE
```

That seemed to work for just passing traffic through.. Nice.. or not.  The Amavis filter on the postfix then stopped working as the traffic no longer appeared to come from 127.0.0.1, it came from 192.168.0.89.. the IP of the server.  So that didnt work.  I flushed that out, and things started working again.

I've found plenty of scripts for using 2 nics as a bridge/proxy, but I can't seem to see anything for a single nic. We need all the services available to the LAN (of course) and several services which have been NAT'd through from the router (HTTP(S), SMTP)

Could anyone give me any pointers, or even a couple of scripts to try?

Cheers!!

Sven

----------

## magic919

If you have a single NIC and make the server the default gateway, from the point of view of the clients, the server will send the packets on to the router.  You'll need to activate IP forwarding on the server.  The packets then count up as traffic in the FORWARD chain of IP Tables I notice.  Try applying some rules to that.

----------

## Hu

The MASQUERADE target is more appropriate for a box performing NAT.

Using a single NIC system to monitor or filter people like this relies on your users cooperating.  Anyone who changes their default gateway back to the proper gateway for the network can trivially bypass your server.  If you want to enforce monitoring or filtering, you need to put in a second NIC and use a network topology that forces clients to pass traffic through you.

----------

## sven_sol

Well, the network is set to use DHCP, and the clients (to be honest) haven't got a clue when it comes to setting up computers - turn it on; do some work.  Which is nice.

Besides, we could always set the firewall up so that it only accepts traffic from the server.

So, should I take it that the masquerade is probably the wrong option.   :Confused: 

Shall I just use a FORWARD rule?

Cheers,

Sven.

----------

## magic919

Given that you have no need to NAT on that box...

----------

## sven_sol

sorry to be  bit green, but can you suggest an easy rule? i a website to learn quickly?/!    :Rolling Eyes: 

Thanks all!

----------

## magic919

The website I used for IP Tables was www.pettingers.org .  Not exhaustive, but simple to follow and gets you started.

This bit http://www.pettingers.org/code/firewall.html

----------

## sven_sol

Wow.. that looks pretty cool and relatively straight forward!!

Thanks!!!   :Very Happy: 

I'll report back on how I manage.

----------

