-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
| Hello, My iptables config file is as follows : | | # Generated by iptables-save v1.2.9 on Fri Jan 7 20:56:35 2000 | *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING | ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # | Completed on Fri Jan 7 20:56:35 2000 # Generated by iptables-save | v1.2.9 on Fri Jan 7 20:56:35 2000 *mangle :PREROUTING ACCEPT | [1024:195745] :INPUT ACCEPT [1019:194076] :FORWARD ACCEPT [2:144] | :OUTPUT ACCEPT [1000:192114] :POSTROUTING ACCEPT [999:192086] | COMMIT # Completed on Fri Jan 7 20:56:35 2000 # Generated by | iptables-save v1.2.9 on Fri Jan 7 20:56:35 2000 *filter :FORWARD | ACCEPT [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -j | ACCEPT
This rules terminates chain traversing ! This means that ervery packet is allowed and with this rules it doesn't matter what is the incoming interface. So every packet from the internet and your LAN as well is happily accepted.
| -A INPUT -s 127.0.0.1 -j ACCEPT -A INPUT -p tcp -m tcp -i eth1 | --dport 3128 --sport 80 -j ACCEPT
Hmm, I guess that your proxy is listening on port 3128, but I don't understand --sport 80. May be this represents your clients ? The web browsers ? If so it will simply not work and you need a rule like this:
- -A INPUT -p tcp -m tcp --dport 3128 --sport 1024: -i eth1 -m state - --state NEW -j ACCEPT
or similar. This is because clients connect to server never from privileged ports (1-1023), but always from port numbers greater than 1023.
| -A INPUT -p udp -m udp -i eth1 --dport 3128 --sport 80 -j ACCEPT
To be seen in combination with the above rule ? If so and my guesses above are true, you don't need this rule, at least you don't need it for surfing. Surfing is tcp, nor udp.
| -A INPUT -s 62.0.0.0/255.0.0.0 -i eth0 -j REJECT -A INPUT -p tcp -m | tcp -s 217.81.0.0/255.255.0.0 -i eth0 -j REJECT -A INPUT -i eth0 -j | DROP
eth0 is your internet interfaces ? Doesn't matter, you don't need this rule, because your policy is DROP.
| -A INPUT -p tcp -m tcp -i eth1 --sport 80 -j DROP
You will hardly see a tcp source port 80.
| -A INPUT -m state -i eth1 --state ESTABLISHED,RELATED -j ACCEPT -A | FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD | -p tcp -i eth1 -o eth0 --dport 25 --sport 1024: -j ACCEPT --syn -A | FORWARD -p tcp -i eth1 -o eth0 --dport 110 --sport 1024: -j ACCEPT | --syn -A FORWARD -p tcp -i eth1 -o eth0 --dport 1863 --sport 1024: | -j ACCEPT --syn -A FORWARD -p tcp -i eth1 -o eth0 --dport 5050 | --sport 1024: -j ACCEPT --syn -A OUTPUT -p udp --dport 53 --sport | 1024: -j ACCEPT -A OUTPUT -p tcp -m owner -o eth0 --dport 80 | --sport 1024: --uid-owner squid -j ACCEPT --syn COMMIT # Completed | on Fri Jan 7 20:56:35 2000 | | | mails part is working | | MSN is working. | | I am able to browse without any proxy settings. Which I do not | want. | | So I guess the traffic is not being redirected properly.
Yes, the traffic is not redirected. There is no rule that specifies this. Ok, you say that you don't want your clients to browse without proxy settings, so you don't want a transparent proxy. You have to set up your clients to connect to your proxy and then you have to add a rule in the incoming chain like the one mentioned above. Your OUTPUT policy is ACCEPT and there are no rules in the OUTPUT chain, so you there's no need to add a rule to OUTPUT. BTW, my OUTPUT policy is DROP (in filter) and thus I need rules in OUTPUT like
- -A OUTPUT -p tcp -m tcp --dport 80 -o $OUT_IFACE -m state --state NEW - -j ACCEPT
Generally I think, it is best to set all policies to DROP (OR REJECT) and then enable all those ports you need. You can watch the traffic (and the ports in use) with tcpdump or iptraf or the like and thus find out the ports you need. That's quite amazing and instructive.
| | I think I need to redirect all port 80 traffic to port 3128. Though | I am not sure.
Only if you want a transparent proxy.
| | Thanks for all the help so far. | | Varun
HTH
Joerg
- -- - ----------------------------------------------------------------------- mnemon Jörg Harmuth Marie-Curie.Str. 1 53359 Rheinbach
Tel.: (+49) 22 26 87 18 12 Fax: (+49) 22 26 87 18 19 mail: harmuth@xxxxxxxxx Web: http://www.mnemon.de PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc PGP-Fingerprint: 692E 4476 0838 60F8 99E2 7F5D B7D7 E48E 267B 204F - ----------------------------------------------------------------------- Diese Mail wurde vor dem Versenden auf Viren und andere schädliche Software untersucht. Es wurde keine maliziöse Software gefunden.
This Mail was checked for virusses and other malicious software before sending. No malicious software was detected. - -----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCCfWUt9fkjiZ7IE8RAoYpAJ4nQ+qVkdrvKgfzMla//dDZAX2zIACeIYyP 7VSlDpJ4faSt9ZTuna+oD0E= =EWSl -----END PGP SIGNATURE-----
