On Wed, 2003-12-10 at 18:45, Bryan Dyson wrote: > Hi folks, > > I've got my iptables setup and working with one small glitch. My ISP > says I'm an open proxy. > What I'm trying to do is set a rule in iptables that will drop port > 3128 requests coming from the outside but still allow my internal > network to use the proxy on this port. > > I've tried the following, but they seem to shut down routing of e-mail > from the internal mail server: > > -A PREROUTING -I eth1 -p tcp -m tcp --dport 3128 -j DROP > And > -A PREROUTING -I x.x.x.x (public IP) -p tcp -m -tcp --dport 3128 -j > DROP <snip> If it helps, here are some excerpts from a file I pass to iptables-restore -n (minus the comments) to activate my proxy: *filter -A INPUT -i eth0 -p tcp -m tcp --dport 3128 -j ACCEPT #allow the proxy to receive traffic from the internal devices (eth0 is the private interface in my set up) -A OUTPUT -o eth0 -p tcp -m tcp --sport 3128 -j ACCEPT #allow the proxy to respond to the internal clients -A OUTPUT -p 6 -m tcp --dport 80 -m state --state NEW -j ACCEPT #allow the proxy to talk to the web servers of the world! Of course, there is a corresponding --state RELATED, ESTABLISHED -j ACCEPT somewhere else in the configuration COMMIT *nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 #Cause the redirection from the internal interface (eth0 in my case) COMMIT All filter table policies are DROP so if I do not explicitly allow it, it is denied. -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@xxxxxxxxxxxxx --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net
