Allow Proxy connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi list...

I've got a gateway with iptables and squid proxy. All forwarding is
DROPed, so internal clients can only use the proxy for internet
connection. I've got the following rule in INPUT/OUTPUT chains to allow
the porxy to fetch the web sites:

iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -i eth0 -p tcp --sport 80 -m state --state
ESTABLISHED     -j ACCEPT

But this works only if the webserver in the internet is running on port
80. So i tried to use the -m owner --uid-owner option to match all
packets from the proxy user. The i had to accept all ESTABLISHED packets
in the INPUT chain, because the owner match works only in OUTPUT chain.

What i did now is the following:

iptables -A OUTPUT -o eth0 -p tcp -m owner --uid-owner proxy -m state
--state NEW -j CONNARK --set-mark 1
iptables -A OUTPUT -o eth0 -m connmark --mark 1 -j ACCEPT
iptables -A INPUT  -i eth0 -m connmark --mark 1 -j ACCEPT

This seems to work, but what i wann know now:
 - Is this solution secure?
 - Anybody got a better solution?

Regards
Sebastian.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux