iptables rule for making able clients to send and receive emails with squid proxy
Hi gurus,
Am a new comer in linux arena, and my network situation is ISP(Public IP)===>>Router(192.168.2.2)=====>>LInux box{Having two network cards}eth1(192.168.2.1)==>>eth0(192.168.1.102)=====>>>swicth(192.168.1.100)[MYLAN] Hope you got an idea about my network setup and i had configured my squid proxy server and its working fine now.... for accessing internet by using browsers..etc, but here after my clients where unable to use MS outlook to send or recieve mails, for that i had started iptables service and added rules #iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE #iptables --append FORWARD --in-interface eth0 -j ACCEPT After that clients where able to use MS Outlook..but the problem is browsers were able to use internet without the help of squid proxy. AND MY REQUIREMENT IS clients should be able to browse through squid and at the same time iptables should allow to send or recieve mails and my Incoming Mail Port is - Port 110 Outgoing Mail port - Port 587 and am googling the same issue for last two weeks pls help me some gurus.......... it will be very helpfull for me........ |
Hi,
Welcome to the Linux world! :) I hope you dream in bash commands from now on! :) So... Assuming that squid is set to default port 3128, the following should work for you. Code:
iptables -P FORWARD ACCEPT Code:
http_port 192.168.1.102:3128 transparent Code:
http_port 192.168.1.102:3128 intercept Hope that helps you! :) |
squid, web clients, mail service.
Hazmar.pm,
Your clients should have their browsers pointed to the squid on port 3128, or whatever port you configured that squid to listen on. It looks like the router is the device at which you should block outbound sockets to foreign hosts on port 80. What kind of device is that router? If it's a Cisco router with the firewall feature set in its IOS, you can enter an ACL for port 80 and attach that ACL to the inside interface. Internal clients should not be able to connect directly to an outside web or mail server. As far as mail service, the clients should not be connecting directly to foreign hosts. TCP 587 is the Message Submission port on MTAs like Sendmail (http://www.ietf.org/rfc/rfc2476.txt). Sendmail or Postfix should already be on your squid box. I'm assuming that it's the only Linux server on that 192.168.1.0/24 segment. If so, your clients should be configured to use the Linux box for outbound mail and ports 25 and 587 outbound should actually be blocked at the firewall (the router in your diagram?). You should probably also use IMAP instead of POP3 so that the users' mail would not get distributed among a lot of workstations. Set up an imapd on your Linux box and all the mail will located there. |
Thanks gibikha............
[root@bugs ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Table: nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination This is my iptables status after adding your rules but my requirement is not happen..that is still my client are able to browse without proxy.... and able to send emails my need is to only allow ports 587 and 110 which are used for email communication with mail server through the gateway so that we can forward http requests to 3128 as you mentioned and also need to open port number 8080 ports needed to be open or forwarded are 587,110,and 8080 thanks very much.... |
Hi agentbuzz..thanks for your reply...
as iam applying the iptables rules mentioned in my first post or in gibikha's post, clients are able to browse internet and access mails using email clients....so that i hope that there is nothing rong in my cisco router (rv042-192.168.2.2)...but the issue is clients are using iptables rather than squid for accessing internet....my requirement is to limit user access in a way that iptables can be used by mail clients and squid is used for http access Thanks alote....for ur great support |
iptables, squid
Hi hamzar.pm,
If you've added the rules and configured squid accordingly, all the clients on your network should be accessing the internet through squid without browser configuration (transparent setup). You can check this by running (as root): Code:
tail -f /var/log/squid/access.log You could however, use an IPTABLES config like the following to redirect ALL PORTS to squid and allow ports 110 and 587 to bypass it. Code:
iptables -P FORWARD ACCEPT A second option, if you'd rather have all your clients configure their browsers manually... Code:
iptables -P INPUT DROP Try both options and see which works better for you. Let me know how you come along! |
hi gibikha.....
u are awesome!!!!! nd didn't tried your last post as am backing up huge files over network....will try on eve... nd i hope that your last post was the stuff that i searched for two wks...... and let me know that can i block some urls or keywords as facebook.com or orkut..etc ...by adding acl to squid.conf, as my squid is configured as transparent now..... Thanks |
Quick correction:
Code:
iptables -P FORWARD ACCEPT Code:
iptables -P FORWARD ACCEPT |
Hi Jibikha,
i had applied your first option and also included port 8080 to bypass which is for a web server running inside lan on this port...but after that am not able to send mails and to access that site via port 8080 pls find my iptables status [root@bugs squid]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Table: nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:109 redir ports 3128 2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:111:586 redir ports 3128 3 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:588:8087 redir ports 3128 4 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:8089:65535 redir ports 3128 Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination thanks....:cool: |
Code:
iptables -P FORWARD ACCEPT |
hi
i had made changes according to your rules now am getting error while accessing internally hosted site from outside network via port 8080 (111) Connection refused. and also mail clients are unable to send or receive mails.....plz help.... |
Hi gibikha,
Am now doing with this rule that u give me on first post.....proxy is working and mails also able to get...its enough iptables -P FORWARD ACCEPT ## Forward web traffic to squid iptables --table nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables --table nat -A POSTROUTING -o eth1 -j MASQUERADE now pls let me know how to block certain keywords or urls by this setup Thanks |
Hi,
This is a good place to start... http://mkeadle.org/?p=14 A full ACL reference can be found here:http://wiki.squid-cache.org/SquidFaq/SquidAcl Have fun! |
http://www.labtestproject.com/linnet...k_address.html
this link also help full for those who starts with squid..... |
All times are GMT -5. The time now is 07:17 PM. |