you are allowing only port 3128 incoming and output going what about dns port 53 and others ? How your squid server will resolve sites ? iptables -A INPUT -p tcp -m multiport --destination-port 22,80,3128 same for output chain #for dns iptables -A OUTPUT -p udp --dport 53 -j ACCEPT regards On 5/3/05, lester@xxxxxxxxxxx <lester@xxxxxxxxxxx> wrote: > Hi, > I have setup a squid proxy server for our internal network. It works just > fine without a firewall setup. When I tried to apply rules to block > everything except the ports that squid requires, the proxy failed to get > passed the firewall. I have setup squid to use port 3128. > The rules applied are below: > (eth0 : internal n/w interface > eth2 : external n/w interface) > > modprobe ip_conntrack_ftp > > modprobe iptable_nat > > echo 1 > /proc/sys/net/ipv4/ip_forward > > iptables --flush > iptables -t nat --flush > iptables -t mangle --flush > > iptables --policy INPUT DROP > iptables --policy OUTPUT DROP > iptables --policy FORWARD DROP > > iptables -A INPUT -i eth0 -p tcp --dport 3128 -m state --state NEW -j ACCEPT > iptables -A OUTPUT -o eth2 -p tcp --sport 3128 -m state --state NEW -j ACCEPT > > iptables -t filter -A INPUT -i eth0 -p tcp -m state --state > RELATED,ESTABLISHED -j ACCEPT > iptables -t filter -A INPUT -i eth1 -p tcp -m state --state > RELATED,ESTABLISHED -j ACCEPT > > iptables -t filter -A OUTPUT -o eth0 -p tcp -m state --state > RELATED,ESTABLISHED -j ACCEPT > iptables -t filter -A OUTPUT -o eth1 -p tcp -m state --state > RELATED,ESTABLISHED -j ACCEPT > .... > > What I would like to know is that, does squid use any other ports besides > 3128 when contacting the external world? Or are the rules that I have > applied totally wrong? I am using modprobe iptable_nat, echo 1 > > /proc/sys/net/ipv4/ip_forward for port forwarding to internal servers. > (which works). I have not appended those rules. > > Thanks for your help. > Lester > > -- I love deadlines. I like the whooshing sound they make as they fly by. Douglas Adams
