* Allow Proxy connection
@ 2003-06-18 13:21 Sebastian
2003-06-18 13:36 ` Ray Leach
0 siblings, 1 reply; 2+ messages in thread
From: Sebastian @ 2003-06-18 13:21 UTC (permalink / raw)
To: Netfilter Mailinglist
Hi list...
I've got a gateway with iptables and squid proxy. All forwarding is
DROPed, so internal clients can only use the proxy for internet
connection. I've got the following rule in INPUT/OUTPUT chains to allow
the porxy to fetch the web sites:
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state
ESTABLISHED -j ACCEPT
But this works only if the webserver in the internet is running on port
80. So i tried to use the -m owner --uid-owner option to match all
packets from the proxy user. The i had to accept all ESTABLISHED packets
in the INPUT chain, because the owner match works only in OUTPUT chain.
What i did now is the following:
iptables -A OUTPUT -o eth0 -p tcp -m owner --uid-owner proxy -m state
--state NEW -j CONNARK --set-mark 1
iptables -A OUTPUT -o eth0 -m connmark --mark 1 -j ACCEPT
iptables -A INPUT -i eth0 -m connmark --mark 1 -j ACCEPT
This seems to work, but what i wann know now:
- Is this solution secure?
- Anybody got a better solution?
Regards
Sebastian.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Allow Proxy connection
2003-06-18 13:21 Allow Proxy connection Sebastian
@ 2003-06-18 13:36 ` Ray Leach
0 siblings, 0 replies; 2+ messages in thread
From: Ray Leach @ 2003-06-18 13:36 UTC (permalink / raw)
To: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 1403 bytes --]
I use similar rules except:
<snip>
> iptables -A OUTPUT -o eth0 -p tcp --dport 80:90 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --sport 80:90 -m state --state
> ESTABLISHED -j ACCEPT
>
Then of course there's also port 8080 for tomcat and 443 for SSL with
similar rules.
Since you are using state matching, only established connections are
allowed back in.
> But this works only if the webserver in the internet is running on port
> 80. So i tried to use the -m owner --uid-owner option to match all
> packets from the proxy user. The i had to accept all ESTABLISHED packets
> in the INPUT chain, because the owner match works only in OUTPUT chain.
>
> What i did now is the following:
>
> iptables -A OUTPUT -o eth0 -p tcp -m owner --uid-owner proxy -m state
> --state NEW -j CONNARK --set-mark 1
> iptables -A OUTPUT -o eth0 -m connmark --mark 1 -j ACCEPT
> iptables -A INPUT -i eth0 -m connmark --mark 1 -j ACCEPT
>
> This seems to work, but what i wann know now:
> - Is this solution secure?
> - Anybody got a better solution?
>
> Regards
> Sebastian.
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-06-18 13:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-06-18 13:21 Allow Proxy connection Sebastian
2003-06-18 13:36 ` Ray Leach
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.