[squid-users] Squid Proxy with simple iptable rule ...

Antony Stone Antony.Stone at squid.open.source.it
Mon Apr 17 12:53:30 UTC 2017


On Monday 17 April 2017 at 14:45:55, Arsalan Hussain wrote:

> Dear Sir Amos

	:)

> I had reconfigured Squid 3.5 and it works fine. but i want to protect WAN
> interface through IPTABLES
> 
> 1- can you help me chain rule of simple iptable which drop all trafic from
> WAN eth0 to secure and allow squid user request from LAN eth1 only.   (my
> WAN send flood by public and it waste my all bandwidth)
> 
> For Example:
> -A INPUT -j LOG

Do you really want to log every packet hitting your machine?

What use is that information?

> -A INPUT -j DROP

That will prevent ALL packets from entering the machine - nothing can work.

You need to allow ESTABLISHED and RELATED packets before DROPping anything.

> Then allow
> -A INPUT-i eth1 -j ACCEPT

There's no point putting a rule like this after "INPUT -j DROP".  Everything 
has been DROPped already, whether it came from eth1 or not...

Remember that IPtables rules work on a "first match wins" basis.

> -A FORWARD -i eth1 -j ACCEPT

Er, wait, is this a forwarding router, or a Squid server accepting requests on 
eth1 and sending them out on eth0?

> but its block traffic. Can you please help me what allow rule will works
> for Squid 3.5 when i secure my WAN.

Please give us more details of your network - I understand that the machien 
running Squid has two interfaces, but is it only ascting as a proxy, or is it 
also a forwarding router for other traffic?

Also, have you read any documantation on IPtables, to get some examples of 
standard configurations?


And finally, you numbered the question above with a "1".  Is there a "2"?


Antony.

-- 
Most people have more than the average number of legs.

                                                   Please reply to the list;
                                                         please *don't* CC me.


More information about the squid-users mailing list