Find the answer to your Linux question:
Results 1 to 6 of 6
hi guys i have one question suppose the task is : setup a squid proxy server but only allow access for clients in the example.com domain and deny for all ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2010
    Posts
    7

    how do i set this rule?


    hi guys

    i have one question

    suppose the task is : setup a squid proxy server but only allow access for clients in the example.com domain and deny for all others.

    if i am faced with a situation like that how do i go about putting the rule in iptables? i can easily put
    -A RH-Firewall-1-INPUT -p tcp --dport 3128 -j REJECT

    but how do i find out what the ip address or range should be for clients in the example.com domain? what command should i type and what should i be putting in the iptables besides the line on top? suppose the ip address are lan

    pls help guys....

  2. #2
    Linux Enthusiast scathefire's Avatar
    Join Date
    Jan 2010
    Location
    Western Kentucky
    Posts
    626
    If its the LAN, then you should all ready know what the IP address range. You will be better off giving iptables a CIDR though:
    Code:
    192.168.0.0/24
    That is a 255.255.255.0 (aka Class C) range.

    For iptables your CIDR would go into the -s or --source whichever option you prefer to use.

  3. #3
    Just Joined!
    Join Date
    Jan 2010
    Posts
    7
    Quote Originally Posted by scathefire View Post
    If its the LAN, then you should all ready know what the IP address range. You will be better off giving iptables a CIDR though:
    Code:
    192.168.0.0/24
    That is a 255.255.255.0 (aka Class C) range.

    For iptables your CIDR would go into the -s or --source whichever option you prefer to use.

    thanks for the reply... suppose i am not given the ip address range. how do i find out?
    whats the command i should type?

  4. #4
    Linux Enthusiast scathefire's Avatar
    Join Date
    Jan 2010
    Location
    Western Kentucky
    Posts
    626
    if you are physically connected to the LAN, and I assume you are running on a linux box, run this command:

    Code:
    ifconfig
    you'll have to do this as root, or maybe have to do:

    Code:
    sudo /sbin/ifconfig
    you should have results like:

    Code:
    eth1      Link encap:Ethernet  HWaddr 00:1D:09:AC:CB:F8
              inet addr:192.168.0.241  Bcast:192.168.0.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:6370 errors:0 dropped:0 overruns:0 frame:0
              TX packets:2275 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:2689680 (2.5 Mb)  TX bytes:434611 (424.4 Kb)
              Interrupt:17
    Take note of your Mask. For me its a Class C so it would be /24. You can google yours to find out your equivalent CIDR if you don't know about subnetting.

  5. #5
    Just Joined!
    Join Date
    Jan 2010
    Posts
    7
    Quote Originally Posted by scathefire View Post
    if you are physically connected to the LAN, and I assume you are running on a linux box, run this command:

    Code:
    ifconfig
    you'll have to do this as root, or maybe have to do:

    Code:
    sudo /sbin/ifconfig
    you should have results like:

    Code:
    eth1      Link encap:Ethernet  HWaddr 00:1D:09:AC:CB:F8
              inet addr:192.168.0.241  Bcast:192.168.0.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:6370 errors:0 dropped:0 overruns:0 frame:0
              TX packets:2275 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:2689680 (2.5 Mb)  TX bytes:434611 (424.4 Kb)
              Interrupt:17
    Take note of your Mask. For me its a Class C so it would be /24. You can google yours to find out your equivalent CIDR if you don't know about subnetting.

    hi.

    ok i have found out that example.com are in the 172.24.0.0/255.255.0.0

    so how do i set the above rule in iptables to deny/allow access for eg : port 25?

    my RHCE exam is 12hours away... i think this will be a requirement ... please help!!!

  6. #6
    Linux Enthusiast scathefire's Avatar
    Join Date
    Jan 2010
    Location
    Western Kentucky
    Posts
    626
    This would drop all traffic coming at the firewall destined for port 25 on that network range.
    Code:
    iptables -A INPUT -p tcp -s 172.24.0.0/16 --dport 25 -j DROP
    You wanna allow traffic change the jumper (the -j) to ACCEPT.

    It really depends on your default chain policy, that would dictate the situation.

    e.g.
    INPUT DROP
    OUTPUT DROP
    FORWARD DROP

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •