From: Philip Craig <philipc@snapgear.com>
To: Daniel Camacho <dcamacho@saipan.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: IPTables & Squid
Date: Fri, 01 Aug 2003 18:10:59 +1000 [thread overview]
Message-ID: <3F2A2093.8020200@snapgear.com> (raw)
In-Reply-To: <5.1.0.14.2.20030801094250.02f127f0@mail.saipan.com>
Daniel Camacho wrote:
> I'm new to this list and to IPtables. I recently installed a transparent
> proxy using Squid and IPtables. On one computer, I installed IPtables and
> forward all port 80 requests to the Squid server, which is running on a
> separate server. On that same computer I want to be able to filter certain
> connections from using the Squid. I know I can do this with Squid, but I
> want to know how to do it with IPtables. Does anyone know how may I go
> about doing this? Thanks.
Do you want to just pass these connections through directly instead of
forwarding them to the Squid server, or do you want to drop them completely?
If you just want to pass them through, you need to stop them reaching the
DNAT rule. You have already done this for the squid server itself, but
that method only allows you to pass through one IP address. A more general
method is to add ACCEPT rules for each address (just repeat the first
rule for each address to pass through):
# start up filter rules for traffic redirection to Squid
iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.1 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128
If you want to drop the connections, then you need to put DROP or REJECT
rules in the FORWARD chain of the filter table. Make sure you put them
before the rules ACCEPTing traffic from each subnet.
--
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances
next prev parent reply other threads:[~2003-08-01 8:10 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-31 23:51 IPTables & Squid Daniel Camacho
2003-08-01 8:10 ` Philip Craig [this message]
2003-08-01 21:25 ` Daniel Camacho
2003-08-01 23:00 ` Arnt Karlsen
-- strict thread matches above, loose matches on Subject: below --
2004-09-26 5:35 iptables + squid it clown
2004-09-26 14:27 ` Jason Opperisano
2004-09-26 18:54 ` Scott Mayo
2004-09-26 20:33 ` Jose Maria Lopez
2004-09-26 20:57 ` Jason Opperisano
2004-09-26 10:40 iptables+squid it clown
2005-10-15 13:54 iptables & squid Daniel Ivanov
2005-10-16 18:16 ` Henrik Nordstrom
2006-11-27 8:48 Iptables, squid alok pathak
2006-11-27 10:51 ` piraguasu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F2A2093.8020200@snapgear.com \
--to=philipc@snapgear.com \
--cc=dcamacho@saipan.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.