Re: Gateway with Iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Tarak Ranjan wrote:

Hi List,
i have a proxy server, when i enable the proxy my mail clients are not able to send/receive mail. here is my iptables. please help me with the necessary changes.
############################################################################# 

# Internet Interface
INET_IFACE="eth1"
INET_ADDRESS="x.x.x.x"
# Local Interface Information
LOCAL_IFACE="eth0"
LOCAL_IP="192.168.1.3"
LOCAL_NET="192.168.1.0/24"
LOCAL_BCAST="192.168.1.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
#SQUID
SQUID_SERVER=“192.168.1.3?
SQUID_PORT="8080"
echo "SSH Blocking.........."
$IPT -A INPUT -p tcp -s 192.168.1.210 -d 0/0 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.1.123 -d 0/0 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.1.37 -d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.123 -d 0/0 --dport 22 -j ACCEPT $IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.37 -d 0/0 --dport 22 -j ACCEPT #$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.37 -d 0/0 --dport 22 -j ACCEPT $IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.210 -d 0/0 --dport 22 -j ACCEPT $IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.0/24 -d 0/0 --dport 22 -j DROP #$IPT -A OUTPUT -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.38 -d 0/0 --dport 22 -j ACCEP
$IPT -A FORWARD -p tcp -s 0/0 -d x.x.x.y/32 --destination-port 25 --syn -j ACCEPT #$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to 192.168.1.100:25 
#$IPT -A FORWARD -p tcp -d 192.168.1.100 --dport 25 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 22 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 3306 -j DROP
#$IPT -A FORWARD -p tcp -d 0/0 -s 0/0 --dport 80 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 111 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 199 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT

# Block IRC
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 194 -j REJECT

# Block Outbound Telnet
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 23 -j REJECT

# Block SSH
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 22 -j REJECT

# Block Usenet Access
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 119 -j REJECT


# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to# Rules for the private network (accessing gateway system itself) 
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT


# Inbound Internet Packet Rules

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

# Log packets that still don't match
$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
# Used if forwarding for a private network

# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets

# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# Log packets that still don't match
$IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
############################################################################ 
#Redirect all 80 port request to 8080 SQUID PROXY Added By TARAK
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
I believe you need to exempt the traffic from squid (local machine IPA) from the REDIRECT about here. 

$IPT -A PREROUTING -p tcp -s $SQUID_SERVER --dport 80 -j ACCEPT

... And use "http port 8080 transparent" in the squid.conf
#$IPT -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-ports $SQUID_PORT 
#$IPT -t nat -A POSTROUTING -o eth1 -s $LOCAL_NET -j MASQUERADE
#$IPT -A FORWARD -s $LOCAL_NET -d $SQUID_SERVER -i eth1 -o eth0 -p tcp --dport $SQUID_PORT -j ACCEPT $IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT ############################################################################### 
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

# Log packets that still don't match
$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "




Amos
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux