On Thu, 2004-09-02 at 00:08, Payal Rathod wrote: > On Wed, Sep 01, 2004 at 11:54:55PM -0400, John A. Sullivan III wrote: > > > I think you have confused the issues. Do not put the source match in > > the PREROUTING rule (thus your squid access from the local LAN will not > > break). Do put the source match in the FORWARD rule. That will > > restrict outside access to only 1.2.3.4. I assume there is already a > > FORWARD rule that allows access from the LAN. Hope this helps - John > > So, you mean I keep the PREROUTING rule as before and make > -A FORWARD -d 10.10.10.3 -p tcp -m tcp --dport 80 -j ACCEPT > to > -A FORWARD -s 5.6.7.8 -d 10.10.10.3 -p tcp -m tcp --dport 80 -j ACCEPT > > But will this not forward requests from my squid proxy server too? > > -Payal That's right - I keep forgetting that you are using Squid. As I mentioned, I'm a little rusty on Squid configuration. How is the traffic getting to Squid. If I recall correctly, I usually do it with a REDIRECT. That means there needs to be a rule to allow the traffic to Squid (it sounds like there already is one because access is working). However, at that point, doesn't the Squid ACL list take over? If I recall, there is a section in the Squid configuration file where one specifies which addresses are allowed what access - John -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@xxxxxxxxxxxxx --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net
