[SOLVED] iptables rule for making able clients to send and receive emails with squid proxy
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables rule for making able clients to send and receive emails with squid proxy
Hi gurus,
Am a new comer in linux arena, and my network situation is
ISP(Public IP)===>>Router(192.168.2.2)=====>>LInux box{Having two network cards}eth1(192.168.2.1)==>>eth0(192.168.1.102)=====>>>swicth(192.168.1.100)[MYLAN]
Hope you got an idea about my network setup
and i had configured my squid proxy server and its working fine now.... for accessing internet by using browsers..etc, but here after my clients where unable to use MS outlook to send or recieve mails,
for that i had started iptables service and added rules
#iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
#iptables --append FORWARD --in-interface eth0 -j ACCEPT
After that clients where able to use MS Outlook..but the problem is browsers were able to use internet without the help of squid proxy.
AND MY REQUIREMENT IS clients should be able to browse through squid and at the same time iptables should allow to send or recieve mails
and my Incoming Mail Port is - Port 110
Outgoing Mail port - Port 587
and am googling the same issue for last two weeks
pls help me some gurus..........
it will be very helpfull for me........
Hazmar.pm,
Your clients should have their browsers pointed to the squid on port 3128, or whatever port you configured that squid to listen on. It looks like the router is the device at which you should block outbound sockets to foreign hosts on port 80. What kind of device is that router? If it's a Cisco router with the firewall feature set in its IOS, you can enter an ACL for port 80 and attach that ACL to the inside interface. Internal clients should not be able to connect directly to an outside web or mail server.
As far as mail service, the clients should not be connecting directly to foreign hosts. TCP 587 is the Message Submission port on MTAs like Sendmail (http://www.ietf.org/rfc/rfc2476.txt). Sendmail or Postfix should already be on your squid box. I'm assuming that it's the only Linux server on that 192.168.1.0/24 segment. If so, your clients should be configured to use the Linux box for outbound mail and ports 25 and 587 outbound should actually be blocked at the firewall (the router in your diagram?).
You should probably also use IMAP instead of POP3 so that the users' mail would not get distributed among a lot of workstations. Set up an imapd on your Linux box and all the mail will located there.
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination This is my iptables status after adding your rules but my requirement is not happen..that is still my client are able to browse without proxy.... and able to send emails my need is to only allow ports 587 and 110 which are used for email communication with mail server through the gateway so that we can forward http requests to 3128 as you mentioned and also need to open port number 8080 ports needed to be open or forwarded are 587,110,and 8080
thanks very much....
Hi agentbuzz..thanks for your reply...
as iam applying the iptables rules mentioned in my first post or in gibikha's post, clients are able to browse internet and access mails using email clients....so that i hope that there is nothing rong in my cisco router (rv042-192.168.2.2)...but the issue is clients are using iptables rather than squid for accessing internet....my requirement is to limit user access in a way that iptables can be used by mail clients and squid is used for http access
Thanks alote....for ur great support
If you've added the rules and configured squid accordingly, all the clients on your network should be accessing the internet through squid without browser configuration (transparent setup).
You can check this by running (as root):
Code:
tail -f /var/log/squid/access.log
In the setup you have now, ALL PORTS are OPEN, excluding port 80 that redirects to squid.
You could however, use an IPTABLES config like the following to redirect ALL PORTS to squid and allow ports 110 and 587 to bypass it.
A second option, if you'd rather have all your clients configure their browsers manually...
Code:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow new SMTP connections
iptables -A INPUT -p tcp --dport 587 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 587 -m state --state ESTABLISHED -j ACCEPT
# Allow new POP and IMAP connections
iptables -A INPUT -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
In the second config, all packets will be dropped excluding POP/SMTP/IMAP.
Try both options and see which works better for you.
hi gibikha.....
u are awesome!!!!! nd didn't tried your last post as am backing up huge files over network....will try on eve... nd i hope that your last post was the stuff that i searched for two wks...... and let me know that can i block some urls or keywords as facebook.com or orkut..etc ...by adding acl to squid.conf, as my squid is configured as transparent now.....
Thanks
Hi Jibikha,
i had applied your first option and also included port 8080 to bypass which is for a web server running inside lan on this port...but after that am not able to send mails and to access that site via port 8080
pls find my iptables status
[root@bugs squid]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
hi
i had made changes according to your rules now am getting error while accessing internally hosted site from outside network via port 8080 (111) Connection refused. and also mail clients are unable to send or receive mails.....plz help....
Hi gibikha,
Am now doing with this rule that u give me on first post.....proxy is working and mails also able to get...its enough
iptables -P FORWARD ACCEPT
## Forward web traffic to squid
iptables --table nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables --table nat -A POSTROUTING -o eth1 -j MASQUERADE now pls let me know how to block certain keywords or urls by this setup
Thanks
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
iptables rule for making able clients to send and receive emails with squid proxy
I hope you dream in bash commands from now on! 
iptables, squid
(see previous post)
