On Sat, 2 Aug 2003 07:25:44 +1000 (ChST), "Daniel Camacho" <dcamacho@xxxxxxxxxx> wrote in message <1102.202.128.1.252.1059773144.squirrel@xxxxxxxxxxxxxxx>: ..Daniel, kindly _lose_ the html, as you can see, there _is_ a reason people drop out of threads. > <BR>Hi Philip,<BR><BR>Thanks for the reply. I want to pass the > connection through and not go through the Squid server. Basically, my > intention is to filter certain customers from accessing the Squid > server but still have full connectivity. > Thanks.<BR><BR>Daniel<BR><BR><BR>-----<BR>Philip Craig said:<BR>> > Daniel Camacho wrote:<BR>> > I'm new to this list and to > IPtables. I recently installed a<BR>> transparent<BR>> > > proxy using Squid and IPtables. On one computer, I installed > IPtables<BR>> and<BR>> > forward all port 80 requests to the > Squid server, which is running on a<BR>> > separate server. On > that same computer I want to be able to filter<BR>> certain<BR>> > > connections from using the Squid. I know I can do this with > Squid, but<BR>> I<BR>> > want to know how to do it with > IPtables. Does anyone know how may I go<BR>> > about doing this? > Thanks.<BR>> <BR>> Do you want to just pass these connections > through directly instead of<BR>> forwarding them to the Squid > server, or do you want to drop them<BR>> completely?<BR>> > <BR>> If you just want to pass them through, you need to stop them > reaching the<BR>> DNAT rule. You have already done this for the > squid server itself, but<BR>> that method only allows you to pass > through one IP address. A more<BR>> general<BR>> method is to > add ACCEPT rules for each address (just repeat the first<BR>> rule > for each address to pass through):<BR>> <BR>> # start up filter > rules for traffic redirection to Squid<BR>> iptables -t nat -A > PREROUTING -i eth0 -s 192.168.0.1 -p tcp --dport 80 -j<BR>> > ACCEPT<BR>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 > -j DNAT --to<BR>> 192.168.0.1:3128<BR>> <BR>> If you want to > drop the connections, then you need to put DROP or REJECT<BR>> > rules in the FORWARD chain of the filter table. Make sure you put > them<BR>> before the rules ACCEPTing traffic from each > subnet.<BR>> <BR>> --<BR>> Philip Craig - > philipc@xxxxxxxxxxxx - http://www.SnapGear.com<BR>> SnapGear - > Custom Embedded Solutions and Security Appliances<BR>> <BR>> > <BR>> <BR> -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case.
