* Allow Proxy connection @ 2003-06-18 13:21 Sebastian 2003-06-18 13:36 ` Ray Leach 0 siblings, 1 reply; 2+ messages in thread From: Sebastian @ 2003-06-18 13:21 UTC (permalink / raw) To: Netfilter Mailinglist Hi list... I've got a gateway with iptables and squid proxy. All forwarding is DROPed, so internal clients can only use the proxy for internet connection. I've got the following rule in INPUT/OUTPUT chains to allow the porxy to fetch the web sites: iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT But this works only if the webserver in the internet is running on port 80. So i tried to use the -m owner --uid-owner option to match all packets from the proxy user. The i had to accept all ESTABLISHED packets in the INPUT chain, because the owner match works only in OUTPUT chain. What i did now is the following: iptables -A OUTPUT -o eth0 -p tcp -m owner --uid-owner proxy -m state --state NEW -j CONNARK --set-mark 1 iptables -A OUTPUT -o eth0 -m connmark --mark 1 -j ACCEPT iptables -A INPUT -i eth0 -m connmark --mark 1 -j ACCEPT This seems to work, but what i wann know now: - Is this solution secure? - Anybody got a better solution? Regards Sebastian. ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Allow Proxy connection 2003-06-18 13:21 Allow Proxy connection Sebastian @ 2003-06-18 13:36 ` Ray Leach 0 siblings, 0 replies; 2+ messages in thread From: Ray Leach @ 2003-06-18 13:36 UTC (permalink / raw) To: Netfilter Mailing List [-- Attachment #1: Type: text/plain, Size: 1403 bytes --] I use similar rules except: <snip> > iptables -A OUTPUT -o eth0 -p tcp --dport 80:90 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --sport 80:90 -m state --state > ESTABLISHED -j ACCEPT > Then of course there's also port 8080 for tomcat and 443 for SSL with similar rules. Since you are using state matching, only established connections are allowed back in. > But this works only if the webserver in the internet is running on port > 80. So i tried to use the -m owner --uid-owner option to match all > packets from the proxy user. The i had to accept all ESTABLISHED packets > in the INPUT chain, because the owner match works only in OUTPUT chain. > > What i did now is the following: > > iptables -A OUTPUT -o eth0 -p tcp -m owner --uid-owner proxy -m state > --state NEW -j CONNARK --set-mark 1 > iptables -A OUTPUT -o eth0 -m connmark --mark 1 -j ACCEPT > iptables -A INPUT -i eth0 -m connmark --mark 1 -j ACCEPT > > This seems to work, but what i wann know now: > - Is this solution secure? > - Anybody got a better solution? > > Regards > Sebastian. -- -- Raymond Leach <raymondl@knowledgefactory.co.za> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 -- [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-06-18 13:36 UTC | newest] Thread overview: 2+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-06-18 13:21 Allow Proxy connection Sebastian 2003-06-18 13:36 ` Ray Leach
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.