n00b iptables question.

**AsherSevyn** · 11-30-2012

I am setting up a new squid daemon to run on my server. I want to make sure that everyone inside my network can access squid but I want to make sure everyone on the internet is blocked.

eth0 is connected to my internal LAN via: 192.168.0.5/255.255.255.0
eth1 is connected to the internet via: 1.1.1.1/255.255.255.248
Squid listens on port 3124

Is this the correct syntax for doing that?:

iptables -F
iptables -t nat -F
iptables -X
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 3124 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

As you can probably see I prefer to block everything except for what I'm actually using.

The tricky part is I'm not sure how to block everyone on the net but allow everyone on my local network access to squid.

Thanks in advance.

**awc** · 12-08-2012

Try this

Code:

iptables -F
iptables -t nat -F
iptables -X
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3124 -j DROP
iptables -A INPUT -p tcp --dport 3124 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Squid also opens up UDP port 44685 and UDP6 port 41416 so you may want to look into securing those as well.

**Lazydog** · 12-08-2012

The question I have here is what are you looking to accomplish with your firewall? Looking at what you both have posted above you are opening up the firewall and squid to internet attacks. I am sure this is not what you are looking to do and you should look at adding interfaces to your rules.

Here is a Tutorial where you can read up on the subject.

**awc** · 12-08-2012

Originally Posted by Lazydog

Looking at what you both have posted above you are opening up the firewall and squid to internet attacks.

Would you mind elaborating on that? Maybe you could post a correct ruleset instead of a link to a 95 page article.

**Lazydog** · 12-10-2012

Originally Posted by awc

Would you mind elaborating on that? Maybe you could post a correct ruleset instead of a link to a 95 page article.

As the old saying goes......

Give a man a fish and he eats for a day.......
Teach a man to fish he eats for the rest of his life.

Lets say you have 2 interfaces

eth0 = internet
eth1 = LAN

Now you have a rule:

Code:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Since you do not have an interface to apply the rule to iptables applies the rule to all interface which is the default behavior. This means that both interfaces will allow port 22 to get to your firewall. Under normal circumstances you would not want to allow internet access to your firewall and I would never setup a firewall to allow this.

So with that being said and only wanting eth1 to be able to access the firewall over port 22 the rule should look like this;

Code:

iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Now please take the time to read that 95 page article as it will explain how to setup your rules to protect you from the world.

Thread Tools

Display

n00b iptables question.

Posting Permissions