From: Amos Jeffries <squid3@treenet.co.nz>
To: Tarak Ranjan <tarak.ranjan@liqwidkrystal.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Gateway with Iptables
Date: Mon, 29 Oct 2007 21:20:41 +1300 [thread overview]
Message-ID: <472597D9.1050003@treenet.co.nz> (raw)
In-Reply-To: <472568A2.3040002@liqwidkrystal.com>
Tarak Ranjan wrote:
> Hi List,
> i have a proxy server, when i enable the proxy my mail clients are not
> able to send/receive mail. here is my iptables. please help me with the
> necessary changes.
>
> #############################################################################
>
>
> # Internet Interface
> INET_IFACE="eth1"
> INET_ADDRESS="x.x.x.x"
> # Local Interface Information
> LOCAL_IFACE="eth0"
> LOCAL_IP="192.168.1.3"
> LOCAL_NET="192.168.1.0/24"
> LOCAL_BCAST="192.168.1.255"
> # Localhost Interface
> LO_IFACE="lo"
> LO_IP="127.0.0.1"
> #SQUID
> SQUID_SERVER=“192.168.1.3?
> SQUID_PORT="8080"
> echo "SSH Blocking.........."
> $IPT -A INPUT -p tcp -s 192.168.1.210 -d 0/0 --dport 22 -j ACCEPT
> $IPT -A INPUT -p tcp -s 192.168.1.123 -d 0/0 --dport 22 -j ACCEPT
> $IPT -A INPUT -p tcp -s 192.168.1.37 -d 0/0 --dport 22 -j ACCEPT
> $IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.123
> -d 0/0 --dport 22 -j ACCEPT
> $IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.37 -d
> 0/0 --dport 22 -j ACCEPT
> #$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.37
> -d 0/0 --dport 22 -j ACCEPT
> $IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.210
> -d 0/0 --dport 22 -j ACCEPT
> $IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.0/24
> -d 0/0 --dport 22 -j DROP
> #$IPT -A OUTPUT -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.38 -d
> 0/0 --dport 22 -j ACCEP
>
> $IPT -A FORWARD -p tcp -s 0/0 -d x.x.x.y/32 --destination-port 25 --syn
> -j ACCEPT
> #$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to
> 192.168.1.100:25
> #$IPT -A FORWARD -p tcp -d 192.168.1.100 --dport 25 -j ACCEPT
> $IPT -A INPUT -p tcp -s 0/0 --dport 22 -j DROP
> $IPT -A INPUT -p tcp -s 0/0 --dport 3306 -j DROP
> #$IPT -A FORWARD -p tcp -d 0/0 -s 0/0 --dport 80 -j DROP
> $IPT -A INPUT -p tcp -s 0/0 --dport 111 -j DROP
> $IPT -A INPUT -p tcp -s 0/0 --dport 199 -j DROP
> $IPT -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
> #
> # This chain is used with a private network to prevent forwarding for
> # requests on specific protocols. Applied to the FORWARD rule from
> # the internal network. Ends with an ACCEPT
>
> # Block IRC
> $IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 194 -j REJECT
>
> # Block Outbound Telnet
> $IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 23 -j REJECT
>
> # Block SSH
> $IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 22 -j REJECT
>
> # Block Usenet Access
> $IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 119 -j REJECT
>
>
> # No match, so ACCEPT
> $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
>
> # Allow all on localhost interface
> $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
>
> # Drop bad packets
> $IPT -A INPUT -p ALL -j bad_packets
> $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
> # The rule to# Rules for the private network (accessing gateway system
> itself)
> $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
> $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
>
>
> # Inbound Internet Packet Rules
>
> # Accept Established Connections
> $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
> -j ACCEPT
>
> # broadcast protocols.
> $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
>
> # Log packets that still don't match
> $IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
> # Used if forwarding for a private network
>
> # Drop bad packets
> $IPT -A FORWARD -p ALL -j bad_packets
>
> # Accept TCP packets we want to forward from internal sources
> $IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
>
> # Accept UDP packets we want to forward from internal sources
> $IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
>
> # If not blocked, accept any other packets from the internal interface
> $IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
>
> # Deal with responses from the internet
> $IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
> -j ACCEPT
>
> # Log packets that still don't match
> $IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
> ############################################################################
>
> #Redirect all 80 port request to 8080 SQUID PROXY Added By TARAK
> # DNAT port 80 request comming from LAN systems to squid 3128
> ($SQUID_PORT) aka transparent proxy
>
I believe you need to exempt the traffic from squid (local machine IPA)
from the REDIRECT about here.
$IPT -A PREROUTING -p tcp -s $SQUID_SERVER --dport 80 -j ACCEPT
... And use "http port 8080 transparent" in the squid.conf
> #$IPT -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT
> --to-ports $SQUID_PORT
> #$IPT -t nat -A POSTROUTING -o eth1 -s $LOCAL_NET -j MASQUERADE
> #$IPT -A FORWARD -s $LOCAL_NET -d $SQUID_SERVER -i eth1 -o eth0 -p tcp
> --dport $SQUID_PORT -j ACCEPT
> $IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
> --to-port $SQUID_PORT
> ###############################################################################
>
> $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
> $IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
> $IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
>
> # To internet
> $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
>
> # Log packets that still don't match
> $IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
>
>
Amos
next prev parent reply other threads:[~2007-10-29 8:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-29 4:59 Gateway with Iptables Tarak Ranjan
2007-10-29 8:20 ` Amos Jeffries [this message]
2007-10-29 11:07 ` Tarak Ranjan
2007-10-29 16:12 ` Rob Sterenborg
2007-10-29 16:45 ` kernel warning NAT: no longer support implicit source local NAT Jeffrey Glass
2007-10-30 9:00 ` Gateway with Iptables Amos Jeffries
-- strict thread matches above, loose matches on Subject: below --
2007-10-30 5:11 Tarak Ranjan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=472597D9.1050003@treenet.co.nz \
--to=squid3@treenet.co.nz \
--cc=netfilter@vger.kernel.org \
--cc=tarak.ranjan@liqwidkrystal.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox