Tarak Ranjan wrote:
Hi List,
i have a proxy server, when i enable the proxy my mail clients are not
able to send/receive mail. here is my iptables. please help me with the
necessary changes.
#############################################################################
# Internet Interface
INET_IFACE="eth1"
INET_ADDRESS="x.x.x.x"
# Local Interface Information
LOCAL_IFACE="eth0"
LOCAL_IP="192.168.1.3"
LOCAL_NET="192.168.1.0/24"
LOCAL_BCAST="192.168.1.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
#SQUID
SQUID_SERVER=“192.168.1.3?
SQUID_PORT="8080"
echo "SSH Blocking.........."
$IPT -A INPUT -p tcp -s 192.168.1.210 -d 0/0 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.1.123 -d 0/0 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.1.37 -d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.123
-d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.37 -d
0/0 --dport 22 -j ACCEPT
#$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.37
-d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.210
-d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.0/24
-d 0/0 --dport 22 -j DROP
#$IPT -A OUTPUT -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.38 -d
0/0 --dport 22 -j ACCEP
$IPT -A FORWARD -p tcp -s 0/0 -d x.x.x.y/32 --destination-port 25 --syn
-j ACCEPT
#$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to
192.168.1.100:25
#$IPT -A FORWARD -p tcp -d 192.168.1.100 --dport 25 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 22 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 3306 -j DROP
#$IPT -A FORWARD -p tcp -d 0/0 -s 0/0 --dport 80 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 111 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 199 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# Block IRC
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 194 -j REJECT
# Block Outbound Telnet
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 23 -j REJECT
# Block SSH
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 22 -j REJECT
# Block Usenet Access
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 119 -j REJECT
# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to# Rules for the private network (accessing gateway system
itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
# Inbound Internet Packet Rules
# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Log packets that still don't match
$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
# Used if forwarding for a private network
# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets
# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Log packets that still don't match
$IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
############################################################################
#Redirect all 80 port request to 8080 SQUID PROXY Added By TARAK
# DNAT port 80 request comming from LAN systems to squid 3128
($SQUID_PORT) aka transparent proxy
I believe you need to exempt the traffic from squid (local machine IPA)
from the REDIRECT about here.
$IPT -A PREROUTING -p tcp -s $SQUID_SERVER --dport 80 -j ACCEPT
... And use "http port 8080 transparent" in the squid.conf
#$IPT -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT
--to-ports $SQUID_PORT
#$IPT -t nat -A POSTROUTING -o eth1 -s $LOCAL_NET -j MASQUERADE
#$IPT -A FORWARD -s $LOCAL_NET -d $SQUID_SERVER -i eth1 -o eth0 -p tcp
--dport $SQUID_PORT -j ACCEPT
$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
--to-port $SQUID_PORT
###############################################################################
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
# Log packets that still don't match
$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
Amos
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html