LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 03-29-2005, 08:09 AM   #1
alvi2
Member
 
Registered: Feb 2005
Posts: 77

Rep: Reputation: 15
Question problem in iptable + squid


i am asking a very simple question
i am running a cable net and use squid as proxy server
now i want this


i want to force users to user proxy server for http and ftp and want to force other request through iptables

droping request 80 in iptables ????
how can i do this
i dont want to use tranparent proxy
 
Old 03-29-2005, 10:06 AM   #2
emence
Member
 
Registered: Jun 2003
Location: Springfield, MO
Distribution: RedHat/Slackware
Posts: 81

Rep: Reputation: 15
Well. The way you would want to do that would be to setup your squid proxy server. Then setup the client machines internet browser to use a proxy server. Aim the browsers at your squid server for http and ftp traffice and then leave the rest of the protocols blank, they will then by default go to the gateway, which I assume would be your iptables/ipchains box.
 
Old 03-29-2005, 01:28 PM   #3
alvi2
Member
 
Registered: Feb 2005
Posts: 77

Original Poster
Rep: Reputation: 15
need help

dear amence
i have done this
browser side lan setting is set to the proxy



but the problem is that when users setup the automatic LAN setting not proxy then they can use the browsing due to MASQUEREADE that i made through ipytables

so i want that if users want http request then they should use proxy setting and if they change the browsing setting auto then their "HTTP and FTP"request must be drop

in other words i want
"linux deal http and ftp request through proxy and deal other requests as router or masquerade"
 
Old 03-29-2005, 02:08 PM   #4
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
On your router/firewall to the outside world you would want to deny outgoing access for port 80 and 21 to everybody accept for your proxy server. If your router or firewall is a linux machine you can easily use iptables to implement this.

Is the proxy you have setup as your router?
 
Old 03-29-2005, 03:20 PM   #5
alvi2
Member
 
Registered: Feb 2005
Posts: 77

Original Poster
Rep: Reputation: 15
Is the proxy you have setup as your router?

yes i am using squid + routing on the same linux mechine

tell me how can i reject the port 80 for all except proxy
please send me the complete syntax of commands

i am using port 3128 for proxy
 
Old 03-29-2005, 03:41 PM   #6
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
I'll assume that since the linux box is your router you have 2 NICs
eth0 - outside world
eth1- internal network

iptables -A INPUT -p tcp --dport 80 -i eth1 -j DROP
iptables -A INPUT -p tcp --dport 21 -i eth1 -j DROP

I think that should keep people from using the proxy/gateway without proper proxy settings.

I don't have a way to test that on a proxy, but it looks right to me.....
 
Old 03-29-2005, 04:06 PM   #7
alvi2
Member
 
Registered: Feb 2005
Posts: 77

Original Poster
Rep: Reputation: 15
dear bejithegrat
you are absolutely wrong . i think you need to understand the concept and usage of firewall .

but you gave me a one hint
here is the story

iptables -t nat -A prerouthing -i eth0 -p tcp --dport 80 -j drop
now it is working well

INPUT chain is used only for local process
thanks
 
Old 03-29-2005, 07:12 PM   #8
born4linux
Senior Member
 
Registered: Sep 2002
Location: Philippines
Distribution: Slackware, RHEL&variants, AIX, SuSE
Posts: 1,127

Rep: Reputation: 49
tranparent proxying?

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

that should force your users to use your proxy. and if you do the same to ftp, your users might encounter problems if they are using IE 5.5 as it tries to do a direct connection when trying to browse ftp sites.

hth.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPtable script problem match1980 Linux - Networking 5 05-26-2005 07:38 AM
iptable questions and problem louisb Linux - Wireless Networking 1 01-30-2005 08:25 PM
iptable problem on 2.6.0 nikhil93 Linux - Networking 1 01-06-2004 02:13 PM
IPTABLE problem I think...Mandrake 9.1 jilldutton Linux - Networking 2 08-06-2003 05:45 PM
Problem with IPtable dr490n Linux - Software 1 04-28-2002 05:58 AM


All times are GMT -5. The time now is 04:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration