Leo, Leo wrote: > Hello all, netfilter! > > Does the for use Squid with firewall and masq, it need 4 rules, if > default policy is DROP? > > > > > > eth1 int_ip eth0 ext_ip > | FIREWALL | > 1.-->> -->>3. > USER | | INET > 4.<<-- SQUID(3128) <<--4. > | | > > > > > 1.user request It will be: > iptables -t nat -A PREROUTING -i eth1 -s USER -p tcp --dport 80 -j DNAT --to >int_ip:3128 Add this rule to let the traffic to your internal machine (if your default policies are DROP in filter table) iptables -A FORWARD -i eth1 -o eth1 -s ext_ip -d int_ip --dport 3128 -j ACCEPT
> 2. allow squid to get out from firewall > iptables -A OUTPUT -o eth0 -s ext_ip -p tcp --dport 80 -j ACCEPT This should be: iptables -A FORWARD -i eth1 -o eth0 -s int_ip --sport 3128 --dport 80 -j ACCEPT # you need to put in other rules if you want squid to do https and ftp also. > 3. allow packets from www server come to squid > iptables -A INPUT -i eth0 -d ext_ip -p tcp --sport 80 -j ACCEPT > 4. allow answer squid to user > iptables -A OUTPUT -o eth1 -s int_ip -p tcp --sport 80 -j ACCEPT If you have a match for ESTABLISHED,RELATED then this is already done. (lines 3 and 4) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > Is my head think in rigth direction? > I work on firewall with rule: what is not permited, that DROPED > And i make a rule for every step in long connections. > > P.S. i write this rules from my understending of working such local > processes as SQUID. :-) and i can make some mistake in them. > > Thanks! > > -- James A. Pattie [EMAIL PROTECTED] Linux -- SysAdmin / Programmer PC & Web Xperience, Inc. http://www.pcxperience.com/
