Find the answer to your Linux question:
Results 1 to 5 of 5
I am setting up a new squid daemon to run on my server. I want to make sure that everyone inside my network can access squid but I want to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2010
    Posts
    10

    n00b iptables question.


    I am setting up a new squid daemon to run on my server. I want to make sure that everyone inside my network can access squid but I want to make sure everyone on the internet is blocked.

    eth0 is connected to my internal LAN via: 192.168.0.5/255.255.255.0
    eth1 is connected to the internet via: 1.1.1.1/255.255.255.248
    Squid listens on port 3124

    Is this the correct syntax for doing that?:

    iptables -F
    iptables -t nat -F
    iptables -X
    iptables -P FORWARD DROP
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp --dport 3124 -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    As you can probably see I prefer to block everything except for what I'm actually using.

    The tricky part is I'm not sure how to block everyone on the net but allow everyone on my local network access to squid.

    Thanks in advance.

  2. #2
    awc
    awc is offline
    Just Joined! awc's Avatar
    Join Date
    Aug 2012
    Location
    North America
    Posts
    40
    Try this

    Code:
    iptables -F
    iptables -t nat -F
    iptables -X
    iptables -P FORWARD DROP
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i eth1 -p tcp --dport 3124 -j DROP
    iptables -A INPUT -p tcp --dport 3124 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    Squid also opens up UDP port 44685 and UDP6 port 41416 so you may want to look into securing those as well.
    Last edited by awc; 12-08-2012 at 09:39 PM. Reason: Corrected the placement of the DROP rule

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    The question I have here is what are you looking to accomplish with your firewall? Looking at what you both have posted above you are opening up the firewall and squid to internet attacks. I am sure this is not what you are looking to do and you should look at adding interfaces to your rules.

    Here is a Tutorial where you can read up on the subject.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. $spacer_open
    $spacer_close
  5. #4
    awc
    awc is offline
    Just Joined! awc's Avatar
    Join Date
    Aug 2012
    Location
    North America
    Posts
    40
    Quote Originally Posted by Lazydog View Post
    Looking at what you both have posted above you are opening up the firewall and squid to internet attacks.
    Would you mind elaborating on that? Maybe you could post a correct ruleset instead of a link to a 95 page article.

  6. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by awc View Post
    Would you mind elaborating on that? Maybe you could post a correct ruleset instead of a link to a 95 page article.
    As the old saying goes......

    Give a man a fish and he eats for a day.......
    Teach a man to fish he eats for the rest of his life.

    Lets say you have 2 interfaces

    eth0 = internet
    eth1 = LAN

    Now you have a rule:
    Code:
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    Since you do not have an interface to apply the rule to iptables applies the rule to all interface which is the default behavior. This means that both interfaces will allow port 22 to get to your firewall. Under normal circumstances you would not want to allow internet access to your firewall and I would never setup a firewall to allow this.

    So with that being said and only wanting eth1 to be able to access the firewall over port 22 the rule should look like this;

    Code:
    iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    Now please take the time to read that 95 page article as it will explain how to setup your rules to protect you from the world.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •