<div dir="ltr"><p dir="ltr">Dear Antony Stone, </p>
<p dir="ltr">In fact I recently converted Squid 3.1 and less idea of
iptable rules used there, it was also working as router for internet so i
confused with normal proxy. <br>
<br>
> -A INPUT -j LOG</p><span class="gmail-im">
<p dir="ltr">Do you really want to log every packet hitting your machine?</p>
<p dir="ltr">What use is that information?</p>
</span><p dir="ltr"><u>@--- You are right, i don't need it </u></p><span class="gmail-im">
<p dir="ltr">> -A INPUT -j DROP</p>
<p dir="ltr">That will prevent ALL packets from entering the machine - nothing can work.</p>
<p dir="ltr">You need to allow ESTABLISHED and RELATED packets before DROPping anything.</p>
</span><p dir="ltr"><u>@- correct, i will add established related rule here</u></p><p dir="ltr"><u>-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT </u><br></p><span class="gmail-im">
<p dir="ltr">> Then allow<br>
> -A INPUT-i eth1 -j ACCEPT</p>
<p dir="ltr">There's no point putting a rule like this after "INPUT -j DROP". Everything<br>
has been DROPped already, whether it came from eth1 or not...</p>
<p dir="ltr">Remember that IPtables rules work on a "first match wins" basis.</p>
</span><p dir="ltr"><u>@- my mistake, it was before drop rule to access SSH, from LAN</u></p><span class="gmail-im">
<p dir="ltr">> -A FORWARD -i eth1 -j ACCEPT</p>
<p dir="ltr">Er, wait, is this a forwarding router, or a Squid server accepting requests on<br>
eth1 and sending them out on eth0?</p>
</span><p dir="ltr">@- i dont need, will remove it<br></p><span class="gmail-im">
<p dir="ltr">> but its block traffic. Can you please help me what allow rule will works<br>
> for Squid 3.5 when i secure my WAN.</p>
<p dir="ltr">Please give us more details of your network - I understand that the machien<br>
running Squid has two interfaces, but is it only ascting as a proxy, or is it<br>
also a forwarding router for other traffic?</p></span><p><u>@- it is
only working as squid, LAN side is consists of two vlans and we will
configure 100 users to use internet. we will limit 2 MB per user @
maximum bandwidth while 1 MB for only FB/Youtube users.</u></p><p>Squid 3.5 is working fine, but i want to secure WAN eth0 for any unauthentic user access .<br></p><div class="gmail-yj6qo gmail-ajU"><div id="gmail-:m9" class="gmail-ajR" tabindex="0"><img class="gmail-ajT" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif">I only need to configure simple iptables rules to secure it.<br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 17, 2017 at 5:53 PM, Antony Stone <span dir="ltr"><<a href="mailto:Antony.Stone@squid.open.source.it" target="_blank">Antony.Stone@squid.open.source.it</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Monday 17 April 2017 at 14:45:55, Arsalan Hussain wrote:<br>
<br>
> Dear Sir Amos<br>
<br>
:)<br>
<span class=""><br>
> I had reconfigured Squid 3.5 and it works fine. but i want to protect WAN<br>
> interface through IPTABLES<br>
><br>
> 1- can you help me chain rule of simple iptable which drop all trafic from<br>
> WAN eth0 to secure and allow squid user request from LAN eth1 only. (my<br>
> WAN send flood by public and it waste my all bandwidth)<br>
><br>
> For Example:<br>
> -A INPUT -j LOG<br>
<br>
</span>Do you really want to log every packet hitting your machine?<br>
<br>
What use is that information?<br>
<br>
> -A INPUT -j DROP<br>
<br>
That will prevent ALL packets from entering the machine - nothing can work.<br>
<br>
You need to allow ESTABLISHED and RELATED packets before DROPping anything.<br>
<span class=""><br>
> Then allow<br>
> -A INPUT-i eth1 -j ACCEPT<br>
<br>
</span>There's no point putting a rule like this after "INPUT -j DROP". Everything<br>
has been DROPped already, whether it came from eth1 or not...<br>
<br>
Remember that IPtables rules work on a "first match wins" basis.<br>
<span class=""><br>
> -A FORWARD -i eth1 -j ACCEPT<br>
<br>
</span>Er, wait, is this a forwarding router, or a Squid server accepting requests on<br>
eth1 and sending them out on eth0?<br>
<span class=""><br>
> but its block traffic. Can you please help me what allow rule will works<br>
> for Squid 3.5 when i secure my WAN.<br>
<br>
</span>Please give us more details of your network - I understand that the machien<br>
running Squid has two interfaces, but is it only ascting as a proxy, or is it<br>
also a forwarding router for other traffic?<br>
<br>
Also, have you read any documantation on IPtables, to get some examples of<br>
standard configurations?<br>
<br>
<br>
And finally, you numbered the question above with a "1". Is there a "2"?<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
Antony.<br>
<br>
--<br>
Most people have more than the average number of legs.<br>
<br>
Please reply to the list;<br>
please *don't* CC me.<br>
</font></span><div class="HOEnZb"><div class="h5">______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">With Regards,<br>
<p><br><b style="font-size:12.8px"><span style="color:rgb(23,54,93);background-image:initial;background-position:initial;background-repeat:initial">Arsalan Hussain</span></b><br><b style="font-size:12.8px"><span style="color:#c0504d">Assistant Director, Networks & Information System</span></b></p><p><span><b style="font-size:12.8px"><span style="font-size:14.0pt;font-family:"Baskerville Old Face",serif;color:#4f81bd">PRESTON UNIVERSITY</span></b><br><span style="color:rgb(31,73,125);font-size:12.8px">Add: Plot: 85, Street No: 3, Sector H-8/1, Islamabad, Pakistan</span><br><span style="color:rgb(31,73,125);font-size:12.8px">Cell: +92-322-5018611</span><br><span style="color:rgb(31,73,125);font-size:12.8px">UAN: (51) 111-707-808 (Ext: 443)</span></span></p><div><b><font size="2">If you are too lazy to plow now, don't expect a harvest, later</font></b><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>