[squid-users] Squid Proxy with simple iptable rule ...
Antony Stone
Antony.Stone at squid.open.source.it
Mon Apr 17 12:53:30 UTC 2017
On Monday 17 April 2017 at 14:45:55, Arsalan Hussain wrote:
> Dear Sir Amos
:)
> I had reconfigured Squid 3.5 and it works fine. but i want to protect WAN
> interface through IPTABLES
>
> 1- can you help me chain rule of simple iptable which drop all trafic from
> WAN eth0 to secure and allow squid user request from LAN eth1 only. (my
> WAN send flood by public and it waste my all bandwidth)
>
> For Example:
> -A INPUT -j LOG
Do you really want to log every packet hitting your machine?
What use is that information?
> -A INPUT -j DROP
That will prevent ALL packets from entering the machine - nothing can work.
You need to allow ESTABLISHED and RELATED packets before DROPping anything.
> Then allow
> -A INPUT-i eth1 -j ACCEPT
There's no point putting a rule like this after "INPUT -j DROP". Everything
has been DROPped already, whether it came from eth1 or not...
Remember that IPtables rules work on a "first match wins" basis.
> -A FORWARD -i eth1 -j ACCEPT
Er, wait, is this a forwarding router, or a Squid server accepting requests on
eth1 and sending them out on eth0?
> but its block traffic. Can you please help me what allow rule will works
> for Squid 3.5 when i secure my WAN.
Please give us more details of your network - I understand that the machien
running Squid has two interfaces, but is it only ascting as a proxy, or is it
also a forwarding router for other traffic?
Also, have you read any documantation on IPtables, to get some examples of
standard configurations?
And finally, you numbered the question above with a "1". Is there a "2"?
Antony.
--
Most people have more than the average number of legs.
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list