I have just deployed a cluster of squid caching servers in reverse proxy mode, and am having trouble with iptables. When iptables is turned on, I can hit the caching servers, but squid times out trying to pull from the origin servers (in our other datacenters). I'm thinking that if I add outgoing rules for our other datacenters, everything should be fine, but they are now in production and I cant simply test at will...I'm planning on adding these lines, can anyone tell me if this will fix my timeout problem when squid tries to pull from the origin servers? I'm green on iptables configuration, so any advice in general is welcome! Sorry for the long email, and thank you! Lines I plan to add: # Allow anything *to* our various datacenters $IPTABLES -A OUTPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT $IPTABLES -A OUTPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT $IPTABLES -A OUTPUT -d XX.XX.XX.X/26 -p all -j ACCEPT Or maybe I can just add this instead: $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT Here's the current iptables script: ------------------------------------------------------------------------ - #!/bin/sh LAN="eth1" INTERNET="eth0" IPTABLES="/sbin/iptables" # Drop ICMP echo-request messages sent to broadcast or multicast addresses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Drop source routed packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN cookie protection from SYN floods echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Don't accept ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don't send ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Enable source address spoofing protection echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible source addresses echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Flush all chains $IPTABLES --flush # Allow unlimited traffic on the loopback interface $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # Set default policies $IPTABLES --policy INPUT DROP $IPTABLES --policy OUTPUT DROP $IPTABLES --policy FORWARD DROP # Previously initiated and accepted exchanges bypass rule checking $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow anything from our various datacenters $IPTABLES -A INPUT -s XX.XX.XXX.XXX/26 -p all -j ACCEPT $IPTABLES -A INPUT -s XX.XX1.XXX.X/26 -p all -j ACCEPT $IPTABLES -A INPUT -s XX.XX.XX.X/26 -p all -j ACCEPT # Allow incoming port 22 (ssh) connections on external interface $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state \ --state NEW -j ACCEPT # Allow incoming port 4827 (squid-htcp) connections on external interface $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 4827 -m state \ --state NEW -j ACCEPT # Allow incoming port 80 (http) connections on external interface $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80 -m state \ --state NEW -j ACCEPT # Allow ICMP ECHO REQUESTS $IPTABLES -A INPUT -i $INTERNET -p icmp --icmp-type echo-request -j ACCEPT $IPTABLES -A INPUT -p icmp -j ACCEPT $IPTABLES -A OUTPUT -p icmp -j ACCEPT # Allow DNS resolution $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state \ --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state \ --state NEW -j ACCEPT # Allow ntp synchronization $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 123 -m state \ --state NEW -j ACCEPT # allow anything on the trusted interface $IPTABLES -A INPUT -i $LAN -p all -j ACCEPT $IPTABLES -A OUTPUT -o $LAN -p all -j ACCEPT # Have these rules take effect when iptables is started /sbin/service iptables save --------------------------------------------------------------