squid and iptables

squid and iptables

[Zé Luís]

Hi,

i have a network with squid authentication on port 3128 and acl's 
controls. My users only surf with password authentication.

I don't control access port with squid acl. All ports is free by squid.

But,

i need control wich ports each machine can access by iptables. Is it 
possible?

My idea is :

- squid do not control ports, only url_path, urlpath_regex, time, password.

- iptables open and close ports (from internal mchines to internet) for 
data from proxy and other (telnet, irc, ssh and all other)

My question:

- Is it possible.

if yes:

- what chain use?
- a example, plase ;-)

if no:

- what's betther way to do this


Thanks, thanks, thanks.

Ze Luis

squid and iptables

[Zé Luís]

Hi,

i have a network with squid authentication on port 3128 and acl's 
controls. My users only surf with password authentication.

I don't control access port with squid acl. All ports is free by squid.

But,

i need control wich ports each machine can access by iptables. Is it 
possible?

My idea is :

- squid do not control ports, only url_path, urlpath_regex, time, password.

- iptables open and close ports (from internal mchines to internet) for 
data from proxy and other (telnet, irc, ssh and all other)

My question:

- Is it possible.

if yes:

- what chain use?
- a example, plase ;-)

if no:

- what's betther way to do this


Thanks, thanks, thanks.

Ze Luis

Re: squid and iptables

[Zé Luís]

Omar Castaneda Acosta wrote:

> Setup iptables to DROP/REJECT everything from the internal interface
> except -m state NEW,ESTABLISHED,RELATED on every service you want to
> allow.


thanks Omar,

i'm  needing more details about how to exactly do it.

I'm opening just few ports from eth0( NET_INT, my local network) to my 
eth1 firewall (my internet valid ip), like 25,53,80 and 3128 ports.
I do something like this

"iptables -A INPUT -p tcp -j ACCEPT -s 192.168.1.10/255.255.255.0 -i 
eth0 -d 192.168.1.154 --dport nn"

but all traffic is made like this:

Client:
------

from: 192.168.1.10:nn
to: 192.168.1.154:3128 (my firewall, squid server)

Server:
-------
from: 192.168.1.154:3128
to: 0.0.0.0 (Internet)

All client browsers is configurated to work with proxy on port 3128.


How can i filter destination ports requests from clients machines to 
external internet with proxy intercepting this traffic on 3128 port???

Very Thanks again..

Ze Luis

> 
> Hi,
> 
> i have a network with squid authentication on port 3128 and acl's
> controls. My users only surf with password authentication.
> 
> I don't control access port with squid acl. All ports is free by squid.
> 
> But,
> 
> i need control wich ports each machine can access by iptables. Is it
> possible?
> 
> My idea is :
> 
> - squid do not control ports, only url_path, urlpath_regex, time,
> password.
> 
> - iptables open and close ports (from internal mchines to internet) for
> data from proxy and other (telnet, irc, ssh and all other)
> 
> My question:
> 
> - Is it possible.
> 
> if yes:
> 
> - what chain use?
> - a example, plase ;-)
> 
> if no:
> 
> - what's betther way to do this
> 
> 
> Thanks, thanks, thanks.
> 
> Ze Luis

Re: squid and iptables

[Zé Luís]

Omar Castaneda Acosta wrote:

> Setup iptables to DROP/REJECT everything from the internal interface
> except -m state NEW,ESTABLISHED,RELATED on every service you want to
> allow.


thanks Omar,

i'm  needing more details about how to exactly do it.

I'm opening just few ports from eth0( NET_INT, my local network) to my 
eth1 firewall (my internet valid ip), like 25,53,80 and 3128 ports.
I do something like this

"iptables -A INPUT -p tcp -j ACCEPT -s 192.168.1.10/255.255.255.0 -i 
eth0 -d 192.168.1.154 --dport nn"

but all traffic is made like this:

Client:
------

from: 192.168.1.10:nn
to: 192.168.1.154:3128 (my firewall, squid server)

Server:
-------
from: 192.168.1.154:3128
to: 0.0.0.0 (Internet)

All client browsers is configurated to work with proxy on port 3128.


How can i filter destination ports requests from clients machines to 
external internet with proxy intercepting this traffic on 3128 port???

Very Thanks again..

Ze Luis

> 
> Hi,
> 
> i have a network with squid authentication on port 3128 and acl's
> controls. My users only surf with password authentication.
> 
> I don't control access port with squid acl. All ports is free by squid.
> 
> But,
> 
> i need control wich ports each machine can access by iptables. Is it
> possible?
> 
> My idea is :
> 
> - squid do not control ports, only url_path, urlpath_regex, time,
> password.
> 
> - iptables open and close ports (from internal mchines to internet) for
> data from proxy and other (telnet, irc, ssh and all other)
> 
> My question:
> 
> - Is it possible.
> 
> if yes:
> 
> - what chain use?
> - a example, plase ;-)
> 
> if no:
> 
> - what's betther way to do this
> 
> 
> Thanks, thanks, thanks.
> 
> Ze Luis

RE: squid and iptables

[Omar Castaneda Acosta]

You could use David Ranch's stronger firewall script:
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples
.html
Then add the necessary command to make SQUID transparent proxy work:

$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT
--to-port 3128

Once you check everything is working, you can go ahead and disable the
rule that allows every packet from the internal network to the universe

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

and change that to a more restrictive set of rules, like:

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 80 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 21 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 53 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p udp --dport 53 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 110 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 70 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT

That would make the work!

Regards,
Omar

-----Original Message-----
From: Zé Luís [mailto:zeluis@objetivo-americana.com.br]
Sent: Friday, June 14, 2002 3:16 PM
To: netfilter@lists.samba.org
Subject: Re: squid and iptables

Omar Castaneda Acosta wrote:

> Setup iptables to DROP/REJECT everything from the internal interface
> except -m state NEW,ESTABLISHED,RELATED on every service you want to
> allow.


thanks Omar,

i'm  needing more details about how to exactly do it.

I'm opening just few ports from eth0( NET_INT, my local network) to my
eth1 firewall (my internet valid ip), like 25,53,80 and 3128 ports.
I do something like this

"iptables -A INPUT -p tcp -j ACCEPT -s 192.168.1.10/255.255.255.0 -i
eth0 -d 192.168.1.154 --dport nn"

but all traffic is made like this:

Client:
------

from: 192.168.1.10:nn
to: 192.168.1.154:3128 (my firewall, squid server)

Server:
-------
from: 192.168.1.154:3128
to: 0.0.0.0 (Internet)

All client browsers is configurated to work with proxy on port 3128.


How can i filter destination ports requests from clients machines to
external internet with proxy intercepting this traffic on 3128 port???

Very Thanks again..

Ze Luis

>
> Hi,
>
> i have a network with squid authentication on port 3128 and acl's
> controls. My users only surf with password authentication.
>
> I don't control access port with squid acl. All ports is free by
squid.
>
> But,
>
> i need control wich ports each machine can access by iptables. Is it
> possible?
>
> My idea is :
>
> - squid do not control ports, only url_path, urlpath_regex, time,
> password.
>
> - iptables open and close ports (from internal mchines to internet)
for
> data from proxy and other (telnet, irc, ssh and all other)
>
> My question:
>
> - Is it possible.
>
> if yes:
>
> - what chain use?
> - a example, plase ;-)
>
> if no:
>
> - what's betther way to do this
>
>
> Thanks, thanks, thanks.
>
> Ze Luis

squid and iptables

[diseno1]

[-- Attachment #1: Type: text/plain, Size: 185 bytes --]

hello...
i need set up a firewall/proxy...
with smtp, pop3,www, ssh, and the most security posibility...
no hablo bien ingles...
si alguien me pudiera ayudar estaria agradecido...

[-- Attachment #2: Type: text/html, Size: 687 bytes --]

Re: squid and iptables

[Carlo Florendo]

[-- Attachment #1: Type: text/plain, Size: 748 bytes --]

Hola!

No hablo español bien tambien.  Sea por favor más específico de modo que pueda ayudarle.
He configurado iptables para se permite smtp, pop3, www, y ssh que entrar nos network.
Pero usted tiene que haber otros applicaciones para el sistema entero que trabaje correctamente.


Gracias!

Carlo
------
Carlo Florendo
Astra Philippines Inc.
URL:  www.astra.ph

 

  ----- Original Message ----- 
  From: diseno1 
  To: netfilter@lists.netfilter.org 
  Sent: Tuesday, November 04, 2003 4:55 PM
  Subject: squid and iptables


  hello...
  i need set up a firewall/proxy...
  with smtp, pop3,www, ssh, and the most security posibility...
  no hablo bien ingles...
  si alguien me pudiera ayudar estaria agradecido...


[-- Attachment #2: Type: text/html, Size: 2517 bytes --]

Re: squid and iptables

[Arnt Karlsen]

On Tue, 4 Nov 2003 09:55:16 +0100, 
"diseno1" <diseno1@puntozeropublicidad.cl> wrote in message 
<007a01c3a2b1$5dca5c80$6a1f68c8@proxy>:

> hello...
> i need set up a firewall/proxy...
> with smtp, pop3,www, ssh, and the most security posibility...
> no hablo bien ingles...

..no need to: http://www.google.com/language_tools?hl=en
or http://www.google.com/language_tools?hl=es

..just write in your own language and pop it into the 
translator and paste the translation into your posting, 
so _both_ your original message and your translated 
message appears in your post.

..if it gets really bad, we can try your original message in other
translators so we can figure out what you try to ask, regardless 
of language, like in http://www.google.com/intl/xx-klingon/ and
http://www.google.com/intl/xx-bork/  ;-)

> si alguien me pudiera ayudar estaria agradecido...
> 


-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Squid and IPTables

[Sameer Gurung]

Hi all,
  

 I have a LAN setup where I allow access to the web to
only certain individuals based on their user names.
For this squid with authentication enabled is running.
I also want to block unwanted traffic from the NET so
I run iptables.
 
 The problem is I want to use both.... I've tried
transparent proxying and it works but i cant
authenticate users using this method.... Is there any
other way to do it.....

Any help will be appreciated




Sameer

________________________________________________________________________
Yahoo! India Matrimony: Find your partner online. http://yahoo.shaadi.com/india-matrimony/