LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 10-03-2009, 10:13 AM   #1
baig
Member
 
Registered: Nov 2008
Location: وادی ھنزہ
Distribution: Solaris 5.10, Debian Server 5.2, CentOS 5.6
Posts: 226
Blog Entries: 3

Rep: Reputation: 38
iptable rules for squid server..


Hi,
I am running squid 2.7 as cache/proxy server on ubuntu 9.4. Proxy server is accessed by clients with proxy settings in browsers..

proxy address: 192.168.1.100:8080

What I'm looking for is..

Clients should only be able to http, https, ftp through squid. if they do not set proxy then internet facility should not be available.. How ever I need to let them chat.

I need iptable rules that would:

accept only connection to 192.168.1.100:8080 except for yahoo, aim, msn chatting..

internet device= ppp0
lan device = eth1
squid server = 192.168.1.100:8080

thanks in advance.

Cheers!!
 
Old 10-03-2009, 02:34 PM   #2
jhcaiced
Member
 
Registered: Mar 2009
Distribution: CentOS - Ubuntu - Debian
Posts: 83

Rep: Reputation: 27
It would be difficult to setup iptables rules for IM since
they use may different servers with may different IPs that
change so your tables would be crazy.

For me it seems that configuring the squid server with
rules to allow the IM services should be easier since
the proxy can work on domains (not IPs) at the rules
and it's simpler to configure.

Perhaps, you could explain us more what are you trying to
accomplish, limit bandwith, limit internet access etc.

Best regards,
 
Old 10-04-2009, 05:52 AM   #3
baig
Member
 
Registered: Nov 2008
Location: وادی ھنزہ
Distribution: Solaris 5.10, Debian Server 5.2, CentOS 5.6
Posts: 226
Blog Entries: 3

Original Poster
Rep: Reputation: 38
Thank you for your reply..

Scenario is:

NETWORK CARDS:

2 NIC's 1->Internet eth1 & ppp0 2->eth1 LAN clients

SERVER: UBUNTU 9.4

Squid 2.7 stable with db auth
Mysqldb
dhcp2-server for lan
firewall: iptables

Internet Connection:

ppp0 over eth1
DHCP assigned addresses for eth1 & ppp0

Lan connections:
eth1
Clients: 20
network: 192.168.1.0/24
squid :192.168.1.100:8080



What I need:
iptable rules for firewall that can:

allow only access to 192.168.1.100:8080(squid 2.7) from LAN

Want to know:

do i need NAT'ing with squid? as my internt connections allows only ppp0 address to access internet with authentication on their server.

squid.conf


auth_param basic program /usr/lib/squid/squid_db_auth --user xxxxx --password xxxxxxxxxx --plaintext --presist
auth_param basic children 2
auth_param basic realm web-Proxy
auth_param basic credentialsttl 5 minute
auth_param basic casesensitive off

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network

acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

acl db-auth proxy_auth REQUIRED
acl bad_sites url_regex '/etc/squid/sites.txt'
http_access deny bad_sites
http_access allow db-auth
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all

http_port 192.168.1.100:8080

hierarchy_stoplist cgi-bin ?

cache_mem 512 MB
maximum_object_size_in_memory 512 KB
cache_dir ufs /var/spool/squid 50000 16 256
maximum_object_size 40480 KB

access_log /var/log/squid/access.log squid
client_netmask 255.255.255.0

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT

shutdown_lifetime 10 seconds

cache_mgr xxxxxxxxxxxxxx
visible_hostname xxxxxxxxxxxx
hosts_file /etc/hosts
coredump_dir /var/spool/squid
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptable rules, your opinions linuxcbon Linux - Security 7 08-16-2008 06:54 PM
are iptable rules same as firestarter? gimmee Ubuntu 1 06-16-2007 05:30 AM
IPTable rules RecoilUK Linux - Security 1 05-27-2005 08:25 PM
Help with IPtable Rules aqoliveira Linux - Security 3 12-10-2003 11:00 AM
Iptable rules for Gnutella al_erola Linux - Security 5 03-06-2002 04:21 AM


All times are GMT -5. The time now is 09:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration