On 01/04/11 06:27, Saurabh Agarwal wrote:
That link
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat was
helpful Amos. Though instead of a mangle INPUT chain rule(as
mentioned in the link) in iptables I had to add a mangle PREROUTING
Chain rule in iptables as follows
iptables -t mangle -A PREROUTING -p tcp -i ! lo --dport 3128 -j DROP
This rule gets is allowing cachemgr access to port 3128 while deny
access to port 3128 from other machines. The link
http://www.faqs.org/docs/iptables/traversingoftables.html tells that
mangle PREROUTING table chain is traversed first than nat PREROUTING
table.
>
DO we need to modify the text in there?
Thanks. I've re-tested and you are right about using PREROUTING. Wiki
changed.
Do not add a cachemgr exception to the DROP rule. The point of that rule
is that absolutely *zero* forward-proxy requests are permitted to the
intercept port. The NAT handling screws with the request and TCP details
in ways which open the proxy to some nasty little security
vulnerabilities (CVE-2009-0801 describes the combined result).
The recommended practice is to use some randomly chosen port for the NAT
intercept receiving. With that strict rule in the wiki protecting it.
Leaving the well-known 3128 as a second forward-proxy port available for
management and other desired accesses.
Your lo restriction rule you could leave unchanged as extra limit on the
way to contact the management access port. Or move to the filter table
INPUT chain and use REJECT.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.11
Beta testers wanted for 3.2.0.5
