I've created a iptables scripts wherein it will act as a gateway and redirect all port 80 to squid and block other ports. However, you would notice that 192.168.1.26 is exempted on squid and wasn't include on the port blocking. 192.168.1.26 can surf the net and can do p2p,torrent,etc.
Could anyone advise how could I make 192.168.1.30 access the Internet by bypassing port 80 redirection and can only connect to 110 and 143. Connecting to other ports should be block. I tried to create a new chain and feed 192.168.1.30 there but it seems it was block on all ports. I cannot query pop3 and imap but I could browse the Internet since I'm bypassing port 80 redirection
Here is my additional parameters that didn't work:
Quote:
iptables -N USERS
iptables -A USERS -p tcp --dport ! 110 -j REJECT
iptables -A USERS -p tcp --dport ! 143 -j REJECT
iptables -A FORWARD -p TCP -i $LAN_IN -s 192.168.1.30 --dport ! 80 -j USERS
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -s 192.168.1.30 --dport 80 -j ACCEPT
|
Here is my script without those commands above
Quote:
#!/bin/sh
SQUID_SERVER="192.168.0.21"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
UNIVERSE="0.0.0.0/0"
EXT_IPADDR="1.2.3.4"
UNPRIVPORTS="1024:65535"
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables -A FORWARD -p TCP -i $LAN_IN --dport ! 80 -s 192.168.1.26 -j ACCEPT
iptables -A FORWARD -p TCP -i $LAN_IN --dport ! 80 -s 0.0.0.0/0 -j REJECT
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -s 192.168.1.26 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -A INPUT -j DROP
|