Re: Proxy Filter iptable Settings

[Andrew Beverley <andy@andybev.com>]

On Thu, 2011-04-28 at 16:43 -0500, Mike Hendrie wrote:
> All users can get to Google and do searches just fine. I am having
> funny issues with the a couple of application.
> 
> I do not understand why I am having the below issues. Could this be
> because of the iptables?

Probably, although I would say more accurately because of UFW. It's
quite difficult to diagnose problems with automatically generated
iptables rules.

I would say you are better off disabling UFW, and starting with just the
rules you need to get everything working:

# Flush all tables
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F

# Set the default policy to ACCEPT:
iptables -P PREROUTING ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P POSTROUTING ACCEPT

# Enable packet forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setup NAT:
iptables -t nat -A POSTROUTING -o $ext_IF -j MASQUERADE

Once that works, you can then start blocking ports.

> - There is FileMaker application that uses ports 5000 - 5005 to
> connect to an external server that cannot find the external server.
> ??StatefulNAT translation.??

Looking at the following website, you'll need to allow more than just
those ports:

http://sixfriedrice.com/wp/filemaker-firewall/

But, as above, get the firewall working with all ports open, and then
start closing them.

> - There is a yearbook website that uploads photos to an external
> server that does not allow the upload via the webpage. However, I can
> upload the photos if I install the application local to the
> workstation, the vendor had a local installation of the photo upload
> available.

Ditto.

> iptable command used: iptables -t nat -A PREROUTING -i eth1 -p tcp
> --dport 80 -j REDIRECT --to-port 8080

Is this for the proxy? You don't need that rule if you have manually set
the proxy server for each client. That rule *forces* the proxy to be
used.

Andy