This thread is a little bit longer but may be useful for cable operators I need comments about this article

Squid is best for web proxy then what about MS ISA

I feel both are good. but squid has built in bandwidth controller but lack of virus attack ,Trojan control woo lack of virus attack controller what is this

Every person who uses squid know clearly that iptables is need for real time traffic (voice chat , web cam …) in Linux
Mean Netting. So if a client computer is configured with virus then what will you do
Or using peer to peer programs like Kazaa, imesh , emula

A solution is to control its web traffic through delay pool in squid and real time traffic through CBQ or HBQ like tools.
Now suppose a computer operator is not using a Net but his computer is infected with viruses or Trojan it will still consuming your bandwidth even not using the net

That is the –ve point of Linux + squid. A person is not using the Net but its computer consuming your bandwidth

Now how we can block peer to peer programs like Kazaa , imesh , and very very bad DAP (download application accelerator) a solution is to block the port but how much


In Linux I block the Kazaa port and watch. After blocking one port, Kazaa attacked to another port so many software’s especially peer to peer use these kind of tricks so port blocking is not solution



So now take the Advantage of ISA firewall. This software is install on client machine. So know block the peer to peer application on application bases. Suppose you want to block the DAP then disable this application in ISA, want to block the Kazaa then disable this application similarly block the viruses like schist so no bandwidth consume through the firewall.

So a perfect solution is user squid for port 80 and use ISA firewall for real time traffic



I need comments on this article may be this article will solve many cable operator problems

well your point is good ISA cache reponse time is too faster from squid but when you using large number of cache drive and number of user using cache hit ISA crash the cache index dir incase of squid number of cache hits are increase.
2nd question regarding bandwidth controller in MS you have to purchase 3rd party tool like soft perfact or bandwidth controller but in linux you have TC and squid delay_pool function
3rd question :- MS firewall required to install on client without installing you not able to connect NAT aplication either many MS ISA users using ICS option for transparent but this option unsecure for your network in iptables you may have good firewalling option but you have to good iptables scripts concepts if you are blocking P2P like software use block all traffic and allow one by one application
4th question :- ISA are blocking aplication using signature word but thats was a tweak to to block application using ISA server if they user change the application name like kazaa.exe rename with kap.exe user can able to connect with this application . your

iptables simple script default script block all local mac until you add mac address in mac.address file , define your local lan , server ip , internal interface , external interface and create mac.address file in /etc/rc.d/ and allow mac using this patten

# +========================================================+
# E d i t y o u r M a c A d d r e s s h e r e
# +========================================================+
$allowed_mac 00:C0:26:88:F7:3C # this mac for server .. e.g



#### scripts starts ####

IPTABLES=/sbin/iptables
OURLAN="xxx.xxx.xxx.0/24"
SERVERIP="xxx.xxx.xxx.xxx"
EXTDEV="eth2"
INTDEV="eth1"

#### Do not change below this line
#### Ports Blocking
WORM_PORTS_TCP="25 110 21 69 135 137 138 139 153 707 445 9996 5554 4444 27374 31337 1214 6346 4444 10008 65535 12345 27374 31335:31337"
WORM_PORTS_UDP_SOURCE="69 8998 995:999 4000"
WORM_PORTS_UDP_DEST="69 8998 995:999"
BLOCK_HOSTS="216.250.128.12 216.250.128.21"


$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -F; $IPTABLES -t nat -F; $IPTABLES -t mangle -F
#$IPTABLES --table nat PREROUTING --flush
$IPTABLES --flush
$IPTABLES --table nat --flush
$IPTABLES --delete-chain
$IPTABLES --table nat --delete-chain
# Flush, Init and Zero the 'built-in' chains
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#
# rc.mac begins
#

IPTABLES="/sbin/iptables"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ipt_TCPMSS
/sbin/modprobe ipt_MARK
/sbin/modprobe ipt_length
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_mangle
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_state/sbin/modprobe ipt_unclean
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ipt_mac


$IPTABLES -F; $IPTABLES -t nat -F; $IPTABLES -t mangle -F
$IPTABLES --flush
$IPTABLES --table nat --flush
$IPTABLES --delete-chain
$IPTABLES --table nat --delete-chain
$IPTABLES -N MACtest
$IPTABLES -P INPUT DROP
$IPTABLES -t filter -A FORWARD -j MACtest
$IPTABLES -t mangle -F maccheck
$IPTABLES -t mangle -X maccheck
$IPTABLES -t mangle -N maccheck
$IPTABLES -t mangle -I PREROUTING -s $OURLAN -p tcp -j maccheck

$IPTABLES -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 445 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --dport 445 -j REJECT --reject-with tcp-reset

$IPTABLES -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 135:140 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --dport 135:140 -j REJECT --reject-with tcp-reset


$IPTABLES -A FORWARD -s 0/0 -p udp --dport 135:137 -j DROP
$IPTABLES -A INPUT -s 0/0 -p udp --dport 135:137 -j DROP
$IPTABLES -A FORWARD -s 0/0 -p udp --sport 135:137 -j DROP
$IPTABLES -A INPUT -s 0/0 -p udp --sport 135:137 -j DROP

$IPTABLES -I FORWARD -p udp -s 0/0 --dport 135:137 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 --dport 135:137 -j DROP
$IPTABLES -I FORWARD -p udp -s 0/0 --sport 135:137 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 --sport 135:137 -j DROP

allowed_mac="$IPTABLES -t mangle -A maccheck -m mac -j RETURN --mac-source "

. /etc/rc.d/mac.address

$IPTABLES -t mangle -A maccheck -j MARK --set-mark 1
$IPTABLES -t mangle -A maccheck -j RETURN
$IPTABLES -t nat -A PREROUTING -m mark --mark 1 -p tcp -j DNAT --to-destination=$SERVERIP:80


# Port Blocking
for wormportstcp in $WORM_PORTS_TCP; do
$IPTABLES -t nat -A POSTROUTING -s 0/0 -p tcp --dport $wormportstcp -j DROP
$IPTABLES -A INPUT -s 0/0 -p tcp --dport $wormportstcp -j DROP
$IPTABLES -A OUTPUT -s 0/0 -p tcp --dport $wormportstcp -j DROP
$IPTABLES -A FORWARD -s 0/0 -p tcp --dport $wormportstcp -j DROP
done


for wormportsudps in $WORM_PORTS_UDP_SOURCE; do
$IPTABLES -t nat -A POSTROUTING -s 0/0 -p udp --sport $wormportsudps -j DROP
$IPTABLES -A INPUT -s 0/0 -p udp --sport $wormportsudps -j DROP
$IPTABLES -A OUTPUT -s 0/0 -p udp --sport $wormportsudps -j DROP
$IPTABLES -A FORWARD -s 0/0 -p udp --sport $wormportsudps -j DROP
done


for wormportsudpd in $WORM_PORTS_UDP_DEST; do
$IPTABLES -t nat -A POSTROUTING -s 0/0 -p udp --dport $wormportsudpd -j DROP
$IPTABLES -A INPUT -s 0/0 -p udp --dport $wormportsudpd -j DROP
$IPTABLES -A OUTPUT -s 0/0 -p udp --dport $wormportsudpd -j DROP
$IPTABLES -A FORWARD -s 0/0 -p udp --dport $wormportsudpd -j DROP
done


for blockhost in $BLOCK_HOSTS; do
$IPTABLES -A INPUT -s 0/0 -d $blockhost -j DROP
$IPTABLES -A INPUT -s 0/0 -d $blockhost -j DROP
$IPTABLES -A OUTPUT -s 0/0 -d $blockhost -j DROP
$IPTABLES -A FORWARD -s 0/0 -d $blockhost -j DROP
$IPTABLES -t nat -A POSTROUTING -s 0/0 -d $blockhost -j DROP
done

# Firewall. Starts

$IPTABLES -N ADDRESS-FILTER;
$IPTABLES -N LINWIZ-INPUT;
$IPTABLES -N REJECT-PKT;
$IPTABLES -N SYN-FLOOD;
$IPTABLES -A INPUT -j LINWIZ-INPUT

echo 1 > /proc/sys/net/ipv4/ip_forward

######################################################################
# Allow all loopback interface traffic
$IPTABLES -A LINWIZ-INPUT -i lo -j ACCEPT

# Block all attempts to spoof the loopback address
$IPTABLES -A LINWIZ-INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A LINWIZ-INPUT -d 127.0.0.0/8 -j DROP

# Block all attempts to spoof the local IP address
$IPTABLES -A LINWIZ-INPUT -s $SERVERIP -j DROP

# Block Syn Flood attacks
$IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --syn -j SYN-FLOOD

# Ensure that TCP connections start with syn packets
$IPTABLES -A LINWIZ-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP

# Allow session continuation traffic
$IPTABLES -A LINWIZ-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Call the IP and MAC address filtering chain
$IPTABLES -A LINWIZ-INPUT -j ADDRESS-FILTER

# Allow ICMP ping requests from allowed hosts
$IPTABLES -A LINWIZ-INPUT -p icmp -m icmp --icmp-type ping -j ACCEPT

# Block Ping to external world from lan-users
$IPTABLES -A FORWARD -s $OURLAN -p ICMP -d ! $OURLAN -j REJECT

#### using for squid
# Redirect Ports
#$IPTABLES -t nat -A PREROUTING -s $OURLAN -p tcp -m multiport --dports 80,21,3128 -j REDIRECT --to-port 8080

#### using for squid
# Block Cheaters
#$IPTABLES -A FORWARD -s $OURLAN -d ! localhost -p TCP -m multiport --dports 80,21,3128,8080 -j REJECT

# This line will masquerade all ports
$IPTABLES -t nat -A POSTROUTING -s $OURLAN -o $EXTDEV -j MASQUERADE

# Server Broadcasting
#$IPTABLES -A LINWIZ-INPUT -s 192.168.0.1 -d 10.255.255.255 -p udp -m udp --dport 137:138 -j ACCEPT

$IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --dport 0:134 -j ACCEPT
$IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --dport 139:4443 -j ACCEPT
$IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --dport 4445:65535 -j ACCEPT
$IPTABLES -A LINWIZ-INPUT -p udp -m udp --dport 0:134 -j ACCEPT
$IPTABLES -A LINWIZ-INPUT -p udp -m udp --dport 139:4443 -j ACCEPT
$IPTABLES -A LINWIZ-INPUT -p udp -m udp --dport 4445:65535 -j ACCEPT

# Block all other TCP/IP and UDP traffic

$IPTABLES -A LINWIZ-INPUT -j REJECT-PKT


######################################################################
# Chain used to reject all TCP/IP, UDP and ICMP/PING packets

$IPTABLES -A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A REJECT-PKT -p icmp -m icmp --icmp-type ping -j REJECT --reject-with icmp-host-unreachable

######################################################################
# IP and MAC address filtering chain


$IPTABLES -A ADDRESS-FILTER -s $OURLAN -j RETURN
$IPTABLES -A ADDRESS-FILTER -i $EXTDEV -p tcp --dport 21 -j RETURN
$IPTABLES -A ADDRESS-FILTER -i $EXTDEV -p tcp --dport 22 -j RETURN
$IPTABLES -A ADDRESS-FILTER -i $EXTDEV -p tcp --dport 80 -j RETURN

$IPTABLES -A INPUT -s $OURLAN -d localhost -p icmp -m icmp --icmp-type ping -j ACCEPT
$IPTABLES -A ADDRESS-FILTER -j REJECT-PKT