[squid-users] Squid and iptables

From: <steve@dont-contact.us>
Date: Mon, 16 Sep 2002 13:36:20 -0400 (EDT)

Hi,

I am having trouble with iptables and Squid.
My problem is that the transparent proxy doesn't work unless I change
the INPUT policy to ACCEPT.
I guess the question is: "Is the iptable rule for allowing squid right?"

Thanks

##### Squid Setup ##########
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

############ Iptables setup ###############
extint="eth0" # External Interface (internet)
intint="eth1" # Internal Interface (internal lan)
extip="0.0.0.0" # External IP
intip="192.168.10.1" # Internal IP
#
# Enable ipforward, ping echos and ipdynamic addressing
#
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
###############################################
#
# Set input, forward policies to DROP everything
# and flush existing rules
#
/sbin/iptables -P INPUT DROP
/sbin/iptables -F INPUT
/sbin/iptables -P FORWARD DROP# we want to allow everything out
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
#
###############################################
#
# Enable local interface
#
/sbin/iptables -A INPUT -i lo -j ACCEPT
#
# End local services
#
###############################################
#
# Squid Server
#
/sbin/iptables -A INPUT -i $extint -p tcp --sport 80 -d $extip --dport
1024:65535 -j ACCEPT#
###############################################
#
# accept all pings
#
/sbin/iptables -A INPUT -i $extint -p icmp -j ACCEPT
#
###############################################
#
# Internal Traffic
#
# enable forwarding
/sbin/iptables -A FORWARD -i $intint -o $extint -j ACCEPT
/sbin/iptables -A FORWARD -i $extint -o $intint -j ACCEPT
#
# except all input on internal interface
/sbin/iptables -A INPUT -i $intint -j ACCEPT

# Masquerade and Transparent Proxying
#
# masq LAN traffic
/sbin/iptables -t nat -A POSTROUTING -o $extint -j MASQUERADE
#
# redirect all LAN clients to the filtering port
/sbin/iptables -t nat -A PREROUTING -i $intint -p tcp --dport 80 -j
REDIRECT --to-port 3128#
Received on Mon Sep 16 2002 - 11:35:53 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:19 MST