Re: Help with iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2003-12-10 at 18:45, Bryan Dyson wrote:
> Hi folks,
> 
> I've got my iptables setup and working with one small glitch. My ISP
> says I'm an open proxy.
> What I'm trying to do is set a rule in iptables that will drop port
> 3128 requests coming from the outside but still allow my internal
> network to use the proxy on this port.
> 
> I've tried the following, but they seem to shut down routing of e-mail
> from the internal mail server:
> 
> -A PREROUTING -I eth1 -p tcp -m tcp --dport 3128 -j DROP
> And
> -A PREROUTING -I x.x.x.x (public IP) -p tcp -m -tcp --dport 3128 -j
> DROP
<snip>

If it helps, here are some excerpts from a file I pass to
iptables-restore -n (minus the comments) to activate my proxy:

*filter
-A INPUT -i eth0 -p tcp -m tcp --dport 3128 -j ACCEPT
	#allow the proxy to receive traffic from the internal devices (eth0 is
the private interface in my set up)
-A OUTPUT -o eth0 -p tcp -m tcp --sport 3128 -j ACCEPT
	#allow the proxy to respond to the internal clients
-A OUTPUT -p 6 -m tcp --dport 80 -m state --state NEW -j ACCEPT
	#allow the proxy to talk to the web servers of the world! Of course,
there is a corresponding --state RELATED, ESTABLISHED -j ACCEPT
somewhere else in the configuration
COMMIT
*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
3128
	#Cause the redirection from the internal interface (eth0 in my case)
COMMIT

All filter table policies are DROP so if I do not explicitly allow it,
it is denied.
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@xxxxxxxxxxxxx
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux