iptables -- Transparent Proxy with port blocking.

rahuljethwa · 12-16-2008, 07:31 AM

hi,
Am testing linux with iptables to act as an internet gateway.

Squid as transparent proxy and iptables to redirent 80 to 3128 works.
Also trying to allow only used ports like 21,22,25,110..etc..works.
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 'port no' -j ACCEPT
iptables -A INPUT -j DROP

But together they do not ....am i missing something.
this is wat i get after service iptables status

Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
6 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:20
7 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:21
8 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:23
9 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:25
10 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:110
11 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:443
12 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:8080
13 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:465
14 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:995
15 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:5666
16 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:1248
17 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:12489
18 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:119
19 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:80
20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
21 DROP all -- 0.0.0.0/0 0.0.0.0/0
22 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:3128

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:80 redir ports 3128

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 192.168.1.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination

Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination

camh · 12-17-2008, 12:38 AM

Code:

21 DROP all -- 0.0.0.0/0 0.0.0.0/0
22 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:3128

I'd start here. You have a DROP all before the ACCEPT. The packet would drop on 21 and wouldn't make it to 22.