On Thu, Aug 02, 2007 at 02:26:07PM -0300, Harlei Liguori wrote: > My current rule set test is: > > #!/bin/bash > > ### Libera rede interna ### > iptables -A INPUT -s 10.15.192.0/22 -p tcp --dport 3128 -j ACCEPT > > ### Libera acesso SSH ### > iptables -A INPUT -s 10.15.192.7 -p tcp --dport 22 -j ACCEPT > > ### Bloqueia demais acessos ### > iptables -A INPUT -j DROP > iptables -A FORWARD -j DROP > > it is only to try allow the access on tcp port 3128 and the ssh port 22 and > drop all other ports, but, it does not work... >
Let's start with that :
iptables -A INPUT -m RELATED, ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m RELATED,ESTABLISHED -j ACCEPT
Assuming you are running squid as a transparent proxy for http traffic
only.
First of all, you have to redirect web traffic to port 3128.
iptables -t nat -A PREROUTING -p tcp \
--dport 80 REDIRECT --to-port 3128
Then, you have to allow incoming traffic to port 3128 since web traffic
is redirected here.
iptables -A INPUT -p tcp --syn --dport 3128 -j ACCEPT
At the end, you have to allow outgoing traffic from your proxy to
Internet :
iptables -A OUTPUT -p tcp --syn --dport 80 -j ACCEPT
Thie is just an example, as I did not care about interfaces.
Hope it helps.
--
Franck Joncourt
http://www.debian.org - http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
signature.asc
Description: Digital signature
