On 01/04/11 06:27, Saurabh Agarwal wrote:
That link http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat was helpful Amos. Though instead of a mangle INPUT chain rule(as mentioned in the link) in iptables I had to add a mangle PREROUTING Chain rule in iptables as follows iptables -t mangle -A PREROUTING -p tcp -i ! lo --dport 3128 -j DROP This rule gets is allowing cachemgr access to port 3128 while deny access to port 3128 from other machines. The link http://www.faqs.org/docs/iptables/traversingoftables.html tells that mangle PREROUTING table chain is traversed first than nat PREROUTING table.
>
DO we need to modify the text in there?
Thanks. I've re-tested and you are right about using PREROUTING. Wiki changed.
Do not add a cachemgr exception to the DROP rule. The point of that rule is that absolutely *zero* forward-proxy requests are permitted to the intercept port. The NAT handling screws with the request and TCP details in ways which open the proxy to some nasty little security vulnerabilities (CVE-2009-0801 describes the combined result).
The recommended practice is to use some randomly chosen port for the NAT intercept receiving. With that strict rule in the wiki protecting it. Leaving the well-known 3128 as a second forward-proxy port available for management and other desired accesses.
Your lo restriction rule you could leave unchanged as extra limit on the way to contact the management access port. Or move to the filter table INPUT chain and use REJECT.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5
