Dear Antony Stone,
In fact I recently converted Squid 3.1 and less idea of
iptable rules used there, it was also working as router for internet so i
confused with normal proxy.
> -A INPUT -j LOG
Do you really want to log every packet hitting your machine?
What use is that information?
@--- You are right, i don't need it
> -A INPUT -j DROP
That will prevent ALL packets from entering the machine - nothing can work.
You need to allow ESTABLISHED and RELATED packets before DROPping anything.
@- correct, i will add established related rule here
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> Then allow
> -A INPUT-i eth1 -j ACCEPT
There's no point putting a rule like this after "INPUT -j DROP". Everything
has been DROPped already, whether it came from eth1 or not...
Remember that IPtables rules work on a "first match wins" basis.
@- my mistake, it was before drop rule to access SSH, from LAN
> -A FORWARD -i eth1 -j ACCEPT
Er, wait, is this a forwarding router, or a Squid server accepting requests on
eth1 and sending them out on eth0?
@- i dont need, will remove it
> but its block traffic. Can you please help me what allow rule will works
> for Squid 3.5 when i secure my WAN.
Please give us more details of your network - I understand that the machien
running Squid has two interfaces, but is it only ascting as a proxy, or is it
also a forwarding router for other traffic?
@- it is only working as squid, LAN side is consists of two vlans and we will configure 100 users to use internet. we will limit 2 MB per user @ maximum bandwidth while 1 MB for only FB/Youtube users.
Squid 3.5 is working fine, but i want to secure WAN eth0 for any unauthentic user access .
On Monday 17 April 2017 at 14:45:55, Arsalan Hussain wrote:
> Dear Sir Amos
:)
> I had reconfigured Squid 3.5 and it works fine. but i want to protect WAN
> interface through IPTABLES
>
> 1- can you help me chain rule of simple iptable which drop all trafic from
> WAN eth0 to secure and allow squid user request from LAN eth1 only. (my
> WAN send flood by public and it waste my all bandwidth)
>
> For Example:
> -A INPUT -j LOG
Do you really want to log every packet hitting your machine?
What use is that information?
> -A INPUT -j DROP
That will prevent ALL packets from entering the machine - nothing can work.
You need to allow ESTABLISHED and RELATED packets before DROPping anything.
> Then allow
> -A INPUT-i eth1 -j ACCEPT
There's no point putting a rule like this after "INPUT -j DROP". Everything
has been DROPped already, whether it came from eth1 or not...
Remember that IPtables rules work on a "first match wins" basis.
> -A FORWARD -i eth1 -j ACCEPT
Er, wait, is this a forwarding router, or a Squid server accepting requests on
eth1 and sending them out on eth0?
> but its block traffic. Can you please help me what allow rule will works
> for Squid 3.5 when i secure my WAN.
Please give us more details of your network - I understand that the machien
running Squid has two interfaces, but is it only ascting as a proxy, or is it
also a forwarding router for other traffic?
Also, have you read any documantation on IPtables, to get some examples of
standard configurations?
And finally, you numbered the question above with a "1". Is there a "2"?
Antony.
--
Most people have more than the average number of legs.
Please reply to the list;
please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
--
Arsalan Hussain
Assistant Director, Networks & Information System
PRESTON UNIVERSITY
Add: Plot: 85, Street No: 3, Sector H-8/1, Islamabad, Pakistan
Cell: +92-322-5018611
UAN: (51) 111-707-808 (Ext: 443)
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
