Daniel Camacho wrote: > I'm new to this list and to IPtables. I recently installed a transparent > proxy using Squid and IPtables. On one computer, I installed IPtables and > forward all port 80 requests to the Squid server, which is running on a > separate server. On that same computer I want to be able to filter certain > connections from using the Squid. I know I can do this with Squid, but I > want to know how to do it with IPtables. Does anyone know how may I go > about doing this? Thanks.
Do you want to just pass these connections through directly instead of forwarding them to the Squid server, or do you want to drop them completely?
If you just want to pass them through, you need to stop them reaching the DNAT rule. You have already done this for the squid server itself, but that method only allows you to pass through one IP address. A more general method is to add ACCEPT rules for each address (just repeat the first rule for each address to pass through):
# start up filter rules for traffic redirection to Squid iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.1 -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128
If you want to drop the connections, then you need to put DROP or REJECT rules in the FORWARD chain of the filter table. Make sure you put them before the rules ACCEPTing traffic from each subnet.
-- Philip Craig - philipc@xxxxxxxxxxxx - http://www.SnapGear.com SnapGear - Custom Embedded Solutions and Security Appliances
