linux squid and iptables for secure lan for internet access.
i have installed linux7.1 on a machine , i got one lan(192.168.10.1) and one internet ip(203.197.96.198) by isp , i want to create a secure gateway and router. i dont know which configuration would be better. i got two option 1.iptables 2.squid proxy. can i use both?
what should be the secure configuration in squid.conf file or may be in other files. what should be the secure configuration in /etc/iptables file, i want to block ping from outside lan. thanks in advance for ur answer(abhishek) |
It depends on what you are trying to do really...
I would definately say that you would use iptables because you will need to use MASQUERADE etc but whether squid is going to do anything for you i'm not sure. Squid (i could be wrong) i have found more useful is making sure machine internally are not going to innappropriate content etc. Iptables is used to block out everything else. try this script to block everything for outside and allow connections from inside out. You will of course need to refine this to suit your own needs. Code:
|
hi chrisfirestar,
thank for your reply Dont you feel that your firewall rules are more complicated. i have implemented one firewall with MASQUERADING and also with ip forwarding. My defualt rules was $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP and i only given permission to 192.168.10.0,192.168.10.1 upto 192.168.10.20 as source and anywhere as destination. My protocol was TCP and FTP and port was 80 and 21. it was working properly as far as web is concern. my question is , will it be Ok, when we think about secure network. Abhishek |
well if the defaults are DROP you should be ok... a few other things you may want to enter into the rules (or manually change is)
# Blocks External Ping requests echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all this means the outside world cant ping you... therefor making you hidden on the net. visit: www.grc.com and do the shields up! test. this will tell you any flaws you may have in your firewall :) if you have any other problems or unsure how to fix a problem that arises report :) |
|
All times are GMT -5. The time now is 09:39 PM. |