[squid-users] Squid Proxy with simple iptable rule ...

Arsalan Hussain arsalan at preston.edu.pk
Mon Apr 17 17:31:34 UTC 2017 

Dear Antony Stone,

In fact I recently converted Squid 3.1 and less idea of iptable rules used
there, it was also working as router for internet so i confused with normal
proxy.

> -A INPUT -j LOG

Do you really want to log every packet hitting your machine?

What use is that information?

*@---  You are right, i don't need it *

> -A INPUT -j DROP

That will prevent ALL packets from entering the machine - nothing can work.

You need to allow ESTABLISHED and RELATED packets before DROPping anything.

*@-  correct, i will add established related rule here*

*-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT *

> Then allow
> -A INPUT-i eth1 -j ACCEPT

There's no point putting a rule like this after "INPUT -j DROP".  Everything
has been DROPped already, whether it came from eth1 or not...

Remember that IPtables rules work on a "first match wins" basis.

*@-  my mistake, it was before drop rule to access SSH, from LAN*

> -A FORWARD -i eth1 -j ACCEPT

Er, wait, is this a forwarding router, or a Squid server accepting requests
on
eth1 and sending them out on eth0?

@-  i dont need, will remove it

> but its block traffic. Can you please help me what allow rule will works
> for Squid 3.5 when i secure my WAN.

Please give us more details of your network - I understand that the machien
running Squid has two interfaces, but is it only ascting as a proxy, or is
it
also a forwarding router for other traffic?

*@- it is only working as squid, LAN side is consists of two vlans and we
will configure 100 users to use internet. we will limit 2 MB per user @
maximum bandwidth while 1 MB for only FB/Youtube users.*

Squid 3.5 is working fine, but i want to secure  WAN eth0  for any
unauthentic user access .
I only need to configure simple iptables rules to secure it.

On Mon, Apr 17, 2017 at 5:53 PM, Antony Stone <
Antony.Stone at squid.open.source.it> wrote:

> On Monday 17 April 2017 at 14:45:55, Arsalan Hussain wrote:
>
> > Dear Sir Amos
>
>         :)
>
> > I had reconfigured Squid 3.5 and it works fine. but i want to protect WAN
> > interface through IPTABLES
> >
> > 1- can you help me chain rule of simple iptable which drop all trafic
> from
> > WAN eth0 to secure and allow squid user request from LAN eth1 only.   (my
> > WAN send flood by public and it waste my all bandwidth)
> >
> > For Example:
> > -A INPUT -j LOG
>
> Do you really want to log every packet hitting your machine?
>
> What use is that information?
>
> > -A INPUT -j DROP
>
> That will prevent ALL packets from entering the machine - nothing can work.
>
> You need to allow ESTABLISHED and RELATED packets before DROPping anything.
>
> > Then allow
> > -A INPUT-i eth1 -j ACCEPT
>
> There's no point putting a rule like this after "INPUT -j DROP".
> Everything
> has been DROPped already, whether it came from eth1 or not...
>
> Remember that IPtables rules work on a "first match wins" basis.
>
> > -A FORWARD -i eth1 -j ACCEPT
>
> Er, wait, is this a forwarding router, or a Squid server accepting
> requests on
> eth1 and sending them out on eth0?
>
> > but its block traffic. Can you please help me what allow rule will works
> > for Squid 3.5 when i secure my WAN.
>
> Please give us more details of your network - I understand that the machien
> running Squid has two interfaces, but is it only ascting as a proxy, or is
> it
> also a forwarding router for other traffic?
>
> Also, have you read any documantation on IPtables, to get some examples of
> standard configurations?
>
>
> And finally, you numbered the question above with a "1".  Is there a "2"?
>
>
> Antony.
>
> --
> Most people have more than the average number of legs.
>
>                                                    Please reply to the
> list;
>                                                          please *don't* CC
> me.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
With Regards,


*Arsalan Hussain*
*Assistant Director, Networks & Information System*

*PRESTON UNIVERSITY*
Add: Plot: 85, Street No: 3, Sector H-8/1, Islamabad, Pakistan
Cell: +92-322-5018611
UAN: (51) 111-707-808 (Ext: 443)
*If you are too lazy to plow now, don't expect a harvest, later*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170417/1c90b304/attachment-0001.html>

More information about the squid-users mailing list