What I basically have is an ubuntu server box set up with ICS so I can use it as a transparent proxy.
My incoming cable from my modem goes into eth0, and a cable goes from eth1 to my router. This manages my local network.
Everything works fine except that if I go somewhere like checkip.dyndns.org that will echo your ip address back to you, it shows the static address I have in my router instead of the static address of eth0 interface on my proxy. In this case, my real external IP is 208.78.***.***, but the web page will show 192.168.2.10. I think this is breaking my fail2ban protection.
Here's my setup:
internet -> [proxy (208.78.***.*** on eth0), (192.168.2.1 on eth1)] -> [router (192.168.2.10 on wan), (192.168.1.0/24 on lan)] -> [switch]
/etc/network/interfaces:
Code:
auto eth0
iface eth0 inet static
broadcast 208.78.***.255
address 208.78.***.***
netmask 255.255.255.128
gateway 208.78.***.***
auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0
broadcast 192.168.2.255
rc.local content for forwarding:
Code:
# iptables forwarding
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
# iptables for squid transparent proxy
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.2.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# extra modules needed to make ftp work
modprobe ip_conntrack_ftp ports=21,29
modprobe ip_nat_ftp ports=21,29
Bookmarks