Linux Netfilter discussions
 help / color / mirror / Atom feed
* Re: Gateway with Iptables
@ 2007-10-30  5:11 Tarak Ranjan
  0 siblings, 0 replies; 6+ messages in thread
From: Tarak Ranjan @ 2007-10-30  5:11 UTC (permalink / raw)
  To: netfilter

Rob Sterenborg wrote:
> i have a proxy server, when i enable the proxy my mail clients are
> > not able to send/receive mail. here is my iptables. please help me
> > with the necessary changes.
>   
  but i'm not able to understand why my mail clients are not responding. 
it's saying connection timed out.
>
> How do you test this? If you configured Squid for transparent proxying
> and allow http (AFAIK you can't transparent proxy https) inbound, your
> users don't have to configure a proxy in their browser and will use the
> proxy "transparently".
>
>   
i have monitor the log /var/log/squid/access.log---- those user's has 
enable "Direct Connection/Automatic detection  " in their respective 
browser, their log is not coming in the access.log
>> what else i have to do to stop direct connection , they must use
>> proxy.
>>     
>
>
> I was going to rewrite the script to make sense of it, but I'm not clear
> on what is running where and what exactly is allowed. Also:
>  
>   
1  i want to block ssh from outside, but it will only allow from 203.x.x.x.
2  any internet request should pass through squid(8080).
3  and if anything wrong in my existing rule set please let me know.



-- 
Thanks & Regards,

Tarak Ranjan
___________________________
IS-Team
Liqwid Krystal

T:   +91 80  2509 1790 Ext. 107
E@:  tarak.ranjan@liqwidkrystal.com
IM:  reachtarak@hotmail.com

Online Learning|Certification|Learning Solutions: http://www.liqwidkrystal.com 




^ permalink raw reply	[flat|nested] 6+ messages in thread
* Gateway with Iptables
@ 2007-10-29  4:59 Tarak Ranjan
  2007-10-29  8:20 ` Amos Jeffries
  2007-10-29 11:07 ` Tarak Ranjan
  0 siblings, 2 replies; 6+ messages in thread
From: Tarak Ranjan @ 2007-10-29  4:59 UTC (permalink / raw)
  To: netfilter

Hi List,
i have a proxy server, when i enable the proxy my mail clients are not 
able to send/receive mail. here is my iptables. please help me with the 
necessary changes.

#############################################################################

# Internet Interface
INET_IFACE="eth1"
INET_ADDRESS="x.x.x.x"
# Local Interface Information
LOCAL_IFACE="eth0"
LOCAL_IP="192.168.1.3"
LOCAL_NET="192.168.1.0/24"
LOCAL_BCAST="192.168.1.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
#SQUID
SQUID_SERVER=“192.168.1.3?
SQUID_PORT="8080"
echo "SSH Blocking.........."
$IPT -A INPUT -p tcp -s 192.168.1.210 -d 0/0 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.1.123 -d 0/0 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.1.37 -d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.123 
-d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.37 -d 
0/0 --dport 22 -j ACCEPT
#$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.37 
-d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.210 
-d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.0/24 
-d 0/0 --dport 22 -j DROP
#$IPT -A OUTPUT -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.38 -d 
0/0 --dport 22 -j ACCEP

$IPT -A FORWARD -p tcp -s 0/0 -d x.x.x.y/32 --destination-port 25 --syn 
-j ACCEPT
#$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to 
192.168.1.100:25
#$IPT -A FORWARD -p tcp -d 192.168.1.100 --dport 25 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 22 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 3306 -j DROP
#$IPT -A FORWARD -p tcp -d 0/0 -s 0/0 --dport 80 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 111 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 199 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT

# Block IRC
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 194 -j REJECT

# Block Outbound Telnet
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 23 -j REJECT

# Block SSH
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 22 -j REJECT

# Block Usenet Access
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 119 -j REJECT


# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to# Rules for the private network (accessing gateway system 
itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT


# Inbound Internet Packet Rules

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

# Log packets that still don't match
$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
# Used if forwarding for a private network

# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets

# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# Log packets that still don't match
$IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
############################################################################
#Redirect all 80 port request to 8080 SQUID PROXY Added By TARAK
# DNAT port 80 request comming from LAN systems to squid 3128 
($SQUID_PORT) aka transparent proxy

#$IPT -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT 
--to-ports $SQUID_PORT
#$IPT -t nat -A POSTROUTING -o eth1 -s $LOCAL_NET -j MASQUERADE
#$IPT -A FORWARD -s $LOCAL_NET -d $SQUID_SERVER -i eth1 -o eth0 -p tcp 
--dport $SQUID_PORT -j ACCEPT
$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT 
--to-port $SQUID_PORT
###############################################################################
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

# Log packets that still don't match
$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "


-- 
Thanks & Regards,

Tarak Ranjan
___________________________
IS-Team
Liqwid Krystal

T:   +91 80  2509 1790 Ext. 107
E@:  tarak.ranjan@liqwidkrystal.com
IM:  reachtarak@hotmail.com

Online Learning|Certification|Learning Solutions: http://www.liqwidkrystal.com 





^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-10-30  9:00 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-10-30  5:11 Gateway with Iptables Tarak Ranjan
  -- strict thread matches above, loose matches on Subject: below --
2007-10-29  4:59 Tarak Ranjan
2007-10-29  8:20 ` Amos Jeffries
2007-10-29 11:07 ` Tarak Ranjan
2007-10-29 16:12   ` Rob Sterenborg
2007-10-30  9:00   ` Amos Jeffries

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox