block port squid

sunlinux · 06-21-2008, 05:33 AM

using squid as proxy on linux.issue is I want to close port 3128 which is expose to internet n any out side user can connect it n surf internet.

pls. tell how to use iptable command to block outsider to connect that squid port.

acid_kewpie · 06-21-2008, 09:09 AM

your internet firewall / router would be the place to do this, indeed if your squid server is an internal node than it's already implicitly "blocked" if you've not manually configutred your firewall to pass it through.

raskin · 06-21-2008, 12:41 PM

Also, ‘‘http_access allow’’ is a good idea. I'd setup both that and iptables, just in case. You never know whether a security bypass will be found in Squid; neither you know when you will need to alter iptables configuration in a complicated enough way to ruin your filter.

win32sux · 06-21-2008, 03:03 PM

You can use http_port to specify which address you want Squid to listen on.

To use iptables as an additional layer of security on the box itself, you could use a rule which only allows IPs on your LAN to access Squid. It might look something like this:

Code:

iptables -I INPUT -p TCP -i eth0 --dport 3128 -s ! 192.168.1.0/24 -j DROP

But like acid_kewpie already said, it's kinda weird that you'd be needing to do stuff like this - unless your dedicated router/firewall is forwarding this port to the Squid box. If you explain to us what your actual network setup looks like, we'll be able to provide you with some better feedback.

sunlinux · 06-23-2008, 01:38 AM

Nice win32sux,

My setup a linux box

Intrnet-----eth1(LinuxBOX)Public ip
LAN---------eth0(linuxBox)Private ip

I am using NAT to access internet from LAN, what I want to is block accessing default squid port from outside world on public ip. that's all

Pls. suggest now.

win32sux · 06-23-2008, 02:07 AM

Quote:

Originally Posted by sunlinux

Nice win32sux,

My setup a linux box

Intrnet-----eth1(LinuxBOX)Public ip
LAN---------eth0(linuxBox)Private ip

I am using NAT to access internet from LAN, what I want to is block accessing default squid port from outside world on public ip. that's all

Pls. suggest now.

Well in that case the simplest thing would be to use http_port to tell Squid to only listen on the private IP. You could then follow that up with an iptables rule to make certain that hosts on the WAN side couldn't connect to Squid even if it was listening on that address.

Code:

iptables -I INPUT -p TCP -i eth1 --dport 3128 -m state --state NEW -j DROP

This will do what you want, but in all honesty it is much better to simply firewall all unwanted connections on the WAN side (whitelisting instead of blacklisting).

sunlinux · 06-23-2008, 03:00 AM

thanx that helped..

sunlinux · 06-23-2008, 03:06 AM

hi can u gys help me a little more. I want to execute my NAT script at system start up. Currently I hv to run it after login into system.

Pls. help me out

usin REDHAT AS 4

linuxlover.chaitanya · 06-23-2008, 05:11 AM

Put the script in /etc/rc.local file

raskin · 06-23-2008, 10:53 AM

Or write it into an executable file in /etc/init.d directory and place a symlink (name must start with S) to it into /etc/rcS.d. The script will be called with single parameter ‘‘start’’.

sunlinux · 06-23-2008, 11:37 PM

Hi I put my script in /etc/rc.local file

Like: /etc/script/./nat

but it didn't work.

??

linuxlover.chaitanya · 06-24-2008, 12:10 AM

Quote:

Originally Posted by sunlinux

Hi I put my script in /etc/rc.local file

Like: /etc/script/./nat

but it didn't work.

??

Remove the "." that you put infront of /nat.

drokmed · 06-26-2008, 10:34 PM

No firewall on that box? That's scary. Is ssh server installed? I bet your server gets attacked constantly. You should take a look at your logs, I bet they are huge.