LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Firewall security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
Page 3 of 3 12 3
  Search this Thread
Old 09-24-2008, 06:17 AM   #31
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380

Quote:
Originally Posted by sanjee View Post
No both are in separate system .
Okay then forget about REDIRECT, you need DNAT to intercept. I believe you'll also need SNAT/MASQUERADE to make sure the packets from Squid come back through the iptables box (and not get sent to the client box's IP). I've only used Squid and iptables on the same box so take that with a grain of salt. In any case, if I'm right then you would do it like this:
Code:
#!/bin/sh

IPT="/sbin/iptables"
WAN_IFACE="eth1"
LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"
DNS1="208.67.222.222"
DNS2="208.67.220.220"
SQUID_IP="192.168.1.2"
SQUID_PORT="3128"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p ICMP -i $LAN_IFACE --icmp-type 8 \
-s $LAN_NET -m state --state NEW -j ACCEPT

$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $LAN_IFACE -s $LAN_NET \
--dport $SQUID_PORT -d $SQUID_IP -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
--dport 21 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
--dport 110 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
-d $DNS1 --dport 53 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_NET \
-d $DNS2 --dport 53 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "

$IPT -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 \
-s ! $SQUID_BOX -j DNAT --to-destination $SQUID_IP:$SQUID_PORT

$IPT -t nat -A POSTROUTING -o $LAN_IFACE -s $LAN_NET \
--dport $SQUID_PORT -d $SQUID_IP -j MASQUERADE

$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
Last edited by win32sux; 09-24-2008 at 06:30 AM.
 
Old 09-26-2008, 12:27 AM   #32
sanjee
Member
 
Registered: Jul 2008
Posts: 129

Original Poster
Rep: Reputation: 15
So many thanks win32sux for your posts. These concepts are really helpful .
 
  


Reply
Page 3 of 3 12 3



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
HELP HELP -> Firewall and security Kamikazee Linux - Security 3 07-05-2005 01:56 AM
Firewall security question Tyir Linux - Security 13 02-07-2004 07:21 PM
Need help with firewall security ... linuxbee Linux - Networking 0 08-11-2003 07:39 AM
Security/Firewall?? Queue-Automator Linux - Security 8 01-13-2003 06:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:36 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration