How to redirect HTTP (tcp 80) ports to another server

karo84 · April 12, 2008, 2:43pm

Hi every one,
I want to redirect the HTTP ports to my proxy server (Fedora , but NOT USING IP>Proxy or IP>Web Proxy.
I just want to redirect that ports using ip firewall feature.
Any advices, Any suggestions?

Thanks
With Best Regards
Karapet Aznavuryan

raktim · April 12, 2008, 3:07pm

ip firewall dst nat protocol=tcp In-interface=lan dst-port=80 Action dst-nat to address= xxxx (ur fedora/linux) to ports=xxx (ports u have to use, for proxy may be 3128)

karo84 · April 12, 2008, 3:46pm

Thanks Ratkim

I have tested, But it does not work at all.
some body help, Please.

SurferTim · April 12, 2008, 3:56pm

Greetings!

If you tried the example above as-is, it has some challenges. If the web server is 192.168.0.2, then this should do:

/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port=80 to-addresses=192.168.0.2
You will lose the ability to use a web-based controller on the parent device tho.

karo84 · April 12, 2008, 4:17pm

So, Look at My configuration,
I have Mikrotik 2.9.50 ROS and Squid running on Fedora 8
Everything is ok.
My Squid listens on port 61119, when I redirect the HTTP ports via Ip>Proxy or IP>Web Proxy to the Squid’s 61119 port, everything works fine,
But when I do dst-nat to my squid’s 61119 port, sometimes I get “the requested url could not be retrieved” message or did not get any reply.
Why? where did I make a mistake?

With Best Regards
Karapet Aznavuryan

SurferTim · April 12, 2008, 4:23pm

My bad!
/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port=80 to-addresses=192.168.0.2 in-interface=ether1

This way only ether1 (internet) will use this nat. Your local users will still go through the proxy.

EDIT: You also may want to do a
/ip firewall nat print
and insure your squid proxy port 80 dstnat rule is not above this dstnat rule. I believe you can use the place-before=0 variable to put this rule first. The first rule that applies is used, and, as the docs say, all others are ignored.

karo84 · April 12, 2008, 4:38pm

I have tried every methods, but there is no use.
My Squid will handle requests only on port 61119, if I put the dst-nat rule to all of its ports, my HTTP requests will go to Squid’s 80 port.
I don’t want that, I just want to redirect HTTP Requests.

SurferTim · April 12, 2008, 4:43pm

OK, can you post a copy of your ip firewall nat?

EDIT: The MT box is the router, and the fedora box is the web server, right?

Chupaka · April 13, 2008, 10:51pm

well, if your users and squid server are in one subnet, you should use srcnat along with dstnat. but you will loose the ability to check user’s IP on squid server. Web Proxy returns this ability back =)

karo84 · April 15, 2008, 11:40am

Thanks Chupaka.
My users are not in th same subnet with Squid,
When I put the proxy server setting to my Squid
Every thing is ok,
But I want to redirect the HTTP requests to Squid,
Please tell Me what to do,
dst-nat does not help,

Chupaka · April 15, 2008, 12:04pm

please describe your network topology

karo84 · April 15, 2008, 4:12pm

I have 2 ROS 2.9.51 PIII
1 For NAS Server, and the other is for NAT Server to Internet
Look at the picture, this is the topology.
My Squid Is in the same network with NAS (192.168.250.0/24 network)
My Clients (PPTP and PPPOE) get IP addresses from 172.16.0.0/12 network.
I just want to redirect the HTTP port from network 172.16.0.0/12 to 192.168.250.50 port 63333( Ssuid listens on this port)
When I set the Proxy server settings in I-explorer or Mozilla IP=SquidIP and Port=Squidport everything is ok,
But I want to do transparent redirect NOT USING IP>Proxy or IP>Web Proxy Features
With Best Regard
Karapet Aznavuryan

Chupaka · April 15, 2008, 8:13pm

are your clients, NAS and squid in different physical segments (different broadcast domains) or only different IP segments?

karo84 · April 16, 2008, 7:49am

They are in different IP Segments,
Thanks

Chupaka · April 16, 2008, 9:56pm

so you need they be on different RouterOS interfaces (VLANs, for example)

karo84 · April 16, 2008, 10:59pm

Thanks Chupaka,
I have already done using 2 different ROS.
Thanks Very Much;

nbson · April 17, 2008, 1:57pm

set your dst-nat rules as the posts above reccomend…
then,

try this in your squid.conf:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Or if it’s a newer version of squid, this:

http_port : transparent

hilton · June 3, 2008, 8:57am

Chupaka, I’ve setup the internal proxy in 3.10. It now allows me to use the parent proxy settings and this works like a charm. Except that now the squid box shows all hits originating from the mikrotik router and not the user’s ip address.

The squid is set in transparent mode and if I manually point a browser to the squid box, it shows the individual ip address in the logs but not if I use the miktotik’s web proxy.

Any ideas for me please?

My rules;
1 ;;; Accept squid proxy server
chain=dstnat action=accept src-address=192.168.50.3 in-interface=bridge dst-port=80 protocol=tcp

2 ;;; Redirect via internal proxy
chain=dstnat action=redirect to-ports=8080 in-interface=bridge dst-port=80 protocol=tcp

Chupaka · June 3, 2008, 10:35am

of course you do not need transparent mode on squid

hilton · June 3, 2008, 12:48pm

ok so what you are saying is that I need to enable authentication on the squid server?

will any requests on port 80 which are redirected to the mikrotik internal web proxy be pushed through to the squid box?

the squid box is going to ask for authentication, so surely I need to setup some rule where it handles this two way communication?