IPT="/usr/sbin/iptables"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IFACE="eth1"
INET_IP="80.xx.xx.xx"
LAN_IFACE="eth0"
LAN_IP="192.168.154.222"
LAN_BCAST="192.168.154.255"
LAN="192.168.154.0/24"

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ipt_mac

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo "0" > /proc/sys/net/ipv4/tcp_timestamps

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "0" > /proc/sys/net/ipv4/tcp_timestamps

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT

###############################################################################
### Create chains...
###############################################################################

$IPT -N INPUT_LAN2GATE

$IPT -N INPUT_LAN2GATE_INFO
$IPT -N INPUT_LAN2GATE_CLI
$IPT -N INPUT_LAN2GATE_MEGA_SERVER

$IPT -N INPUT_INET2GATE
$IPT -N FORWARD_LAN2INET

$IPT -N FORWARD_LAN2INET_INFO
$IPT -N FORWARD_LAN2INET_CLI

$IPT -N FORWARD_LAN2INET_MEGA_SERVER
$IPT -N FORWARD_INET2LAN
$IPT -N BAD_PACKETS

###############################################################################
### INPUT
###############################################################################

$IPT -A INPUT -p ALL -m state --state INVALID -j DROP

##$IPT -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 22 -j ACCEPT
##DHCP-REQUEST
##$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

$IPT -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A INPUT -p ALL -j BAD_PACKETS
$IPT -A INPUT -p ALL -i $INET_IFACE -j INPUT_INET2GATE
$IPT -A INPUT -p ALL -i $LAN_IFACE -j INPUT_LAN2GATE

$IPT -A INPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "INPUT DROP: "

###############################################################################
### OUTPUT
###############################################################################
$IPT -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT
#------------------------
#$IPT -A OUTPUT -p ALL -o $LAN_IFACE -s $LO_IFACE -j ACCEPT
#------------------------

$IPT -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT
$IPT -A OUTPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "OUTPUT DROP: "
###############################################################################
### FORWARD
###############################################################################
$IPT -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPT -A FORWARD -p ALL -j BAD_PACKETS
$IPT -A FORWARD -p ALL -i $INET_IFACE -o $LAN_IFACE -j FORWARD_INET2LAN
$IPT -A FORWARD -p ALL -i $LAN_IFACE -o $INET_IFACE -j FORWARD_LAN2INET
$IPT -A FORWARD -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "FORWARD DROP: "
###############################################################################
### PREROUTING
###############################################################################
$IPT -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 8080
###############################################################################
### POSTROUTING
###############################################################################

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP


well here is the mai init of firewall..

as u can see i use proxy server on port 8080 and apache serv on port 81

the problem is: after i setup clients browsers to use proxy server (bypass proxy for local address is enabled) i was unable to connect to apache web server( http://192.168.154.222:81 --conn timeout) and also webmin(http://192.168.154.222:10000 --conn timeout)

it seems to be a firewall missconfig, but i don't know exactly where............

you dont seem to have a rule in there to allow input port 81 or 10000

a personal opp: put the echo's right at the end, couse currently you have a little hole in there,
you enable forwarding, and flush all the FORWARDING rules... you do not want to do this, you want to enable ipforwarding as the last thing!

this rule:
$IPT -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 8080
actually makes your proxy transparent, you do not need to configure any clients to use your proxy

unless you have all important rules in the chain INPUT_LAN2GATE i cannot see how you would be able to access any of the services form the LAN and you did not post INPUT_LAN2GATE rules if this chain should be empty, then all packets going through this chain will get droped, since your defalt policy on INPUT is drop!

$IPT -N INPUT_LAN2GATE_INFO
$IPT -N INPUT_LAN2GATE_CLI


well i have defined 2 clsses _INFO (with no FORWARD restriction) and _CLI(forward only http,https,mail and messenger)

on the other hand due tu some bandwidth limitation i have to use tarafic shape rules( each client has a min 32k and max 200k), but it seems when traffic shaping is activated the hosts copy from squid with max bandwidth alocated by traffic shape rules =200k


well, if browsers are setup to use proxy server, the lan machines copy from squid with ~8k-10k....so.....


well here is the INPUT chains

###############################################################################
### INPUT_LAN2GATE_INFO
###############################################################################
$IPT -A INPUT_LAN2GATE_INFO -p TCP --dport 8080 -j ACCEPT

#dns
$IPT -A INPUT_LAN2GATE_INFO -p UDP --dport 53 -j ACCEPT

$IPT -A INPUT_LAN2GATE_INFO -p ICMP --icmp-type 8 -j ACCEPT


#$IPT -A INPUT_LAN2GATE_INFO -p TCP --dport 80 -j ACCEPT

#apache
$IPT -A INPUT_LAN2GATE_INFO -p TCP --dport 81 -j ACCEPT
#webmin
$IPT -A INPUT_LAN2GATE_INFO -p TCP --dport 10000 -j ACCEPT

#pureftpd
$IPT -A INPUT_LAN2GATE_INFO -p TCP --dport 21 -j ACCEPT

$IPT -A INPUT_LAN2GATE_INFO -p ALL -j RETURN
###############################################################################
### INPUT_LAN2GATE_CLI
###############################################################################
$IPT -A INPUT_LAN2GATE_CLI -p TCP --dport 8080 -j ACCEPT

#dns
$IPT -A INPUT_LAN2GATE_CLI -p UDP --dport 53 -j ACCEPT

#pureftpd
$IPT -A INPUT_LAN2GATE_CLI -p TCP --dport 21 -j ACCEPT

#apache
$IPT -A INPUT_LAN2GATE_CLI -p TCP --dport 81 -j ACCEPT

#webmin
$IPT -A INPUT_LAN2GATE_CLI -p TCP --dport 10000 -j ACCEPT

$IPT -A INPUT_LAN2GATE_CLI -p ICMP --icmp-type 8 -j ACCEPT

$IPT -A INPUT_LAN2GATE_CLI -p ALL -j RETURN
...........................

perhaps you should not shape the network packets when they go to the proxy, but when they leave the proxy!

yes....but the main problem remain..why i can not connet to apache server when proxy is enabled on client browsers ???/