Re: [squid-users] Squid, Iptables

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 26 Mar 2002 01:50:09 +0100

Your ruleset is mostly correct, but you should make use of conntrack,
and you also need to allow the users to reach the proxy.

I.e. something like:

# Redirect to the proxy
iptables -t nat -A PREROUTING -i eth1 -s USER -p tcp --dport 80 -j DNAT
--to int_ip:3128

# Allow packets on already verified connections in both directions
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the proxy to get out
iptables -A OUTPUT -o eth0 -s ext_ip -p tcp --dport 80 -j ACCEPT

# Allow the proxy to be reached
iptables -A INPUT -i eth1 -s USER -p tcp -d int_ip --dport 3128 -j
ACCEPT

And you also need rules to allow DNS lookup. For simplicity most people
do not filter outgoin traffic initiated by the proxy server. Simply
replace the "proxy to go out" rule by

# Allow the proxy server to get out
iptables -A OUTPUT -o eth0 -j ACCEPT

Regards
Henrik NOrdström
Squid Developer

Leo wrote:
>
> Hello all, netfilter!
>
> Does the for use Squid with firewall and masq, it need 4 rules, if
> default policy is DROP?
>
> eth1 int_ip eth0 ext_ip
> | FIREWALL |
> 1.-->> -->>3.
> USER | | INET
> 4.<<-- SQUID(3128) <<--4.
> | |
>
>
>
> 1.user request It will be:
> iptables -t nat -A PREROUTING -i eth1 -s USER -p tcp --dport 80 -j DNAT --to int_ip:3128
> 2. allow squid to get out from firewall
> iptables -A OUTPUT -o eth0 -s ext_ip -p tcp --dport 80 -j ACCEPT
> 3. allow packets from www server come to squid
> iptables -A INPUT -i eth0 -d ext_ip -p tcp --sport 80 -j ACCEPT
> 4. allow answer squid to user
> iptables -A OUTPUT -o eth1 -s int_ip -p tcp --sport 80 -j ACCEPT
>
> Is my head think in rigth direction?
> I work on firewall with rule: what is not permited, that DROPED
> And i make a rule for every step in long connections.
>
> P.S. i write this rules from my understending of working such local
> processes as SQUID. :-) and i can make some mistake in them.
>
> Thanks!
>
> --
> ó Õ×ÁÖÅÎÉÅÍ,
> Leo mailto:leoru@rbcmail.ru
Received on Mon Mar 25 2002 - 20:21:00 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:05 MST