problem in iptable + squid

alvi2 · 03-29-2005, 07:09 AM

i am asking a very simple question
i am running a cable net and use squid as proxy server
now i want this

i want to force users to user proxy server for http and ftp and want to force other request through iptables

droping request 80 in iptables ????
how can i do this
i dont want to use tranparent proxy

emence · 03-29-2005, 09:06 AM

Well. The way you would want to do that would be to setup your squid proxy server. Then setup the client machines internet browser to use a proxy server. Aim the browsers at your squid server for http and ftp traffice and then leave the rest of the protocols blank, they will then by default go to the gateway, which I assume would be your iptables/ipchains box.

alvi2 · 03-29-2005, 12:28 PM

dear amence
i have done this
browser side lan setting is set to the proxy

but the problem is that when users setup the automatic LAN setting not proxy then they can use the browsing due to MASQUEREADE that i made through ipytables

so i want that if users want http request then they should use proxy setting and if they change the browsing setting auto then their "HTTP and FTP"request must be drop

in other words i want
"linux deal http and ftp request through proxy and deal other requests as router or masquerade"

benjithegreat98 · 03-29-2005, 01:08 PM

On your router/firewall to the outside world you would want to deny outgoing access for port 80 and 21 to everybody accept for your proxy server. If your router or firewall is a linux machine you can easily use iptables to implement this.

Is the proxy you have setup as your router?

alvi2 · 03-29-2005, 02:20 PM

Is the proxy you have setup as your router?

yes i am using squid + routing on the same linux mechine

tell me how can i reject the port 80 for all except proxy
please send me the complete syntax of commands

i am using port 3128 for proxy

benjithegreat98 · 03-29-2005, 02:41 PM

I'll assume that since the linux box is your router you have 2 NICs
eth0 - outside world
eth1- internal network

iptables -A INPUT -p tcp --dport 80 -i eth1 -j DROP
iptables -A INPUT -p tcp --dport 21 -i eth1 -j DROP

I think that should keep people from using the proxy/gateway without proper proxy settings.

I don't have a way to test that on a proxy, but it looks right to me.....

alvi2 · 03-29-2005, 03:06 PM

dear bejithegrat
you are absolutely wrong . i think you need to understand the concept and usage of firewall .

but you gave me a one hint
here is the story

iptables -t nat -A prerouthing -i eth0 -p tcp --dport 80 -j drop
now it is working well

INPUT chain is used only for local process
thanks

born4linux · 03-29-2005, 06:12 PM

tranparent proxying?

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

that should force your users to use your proxy. and if you do the same to ftp, your users might encounter problems if they are using IE 5.5 as it tries to do a direct connection when trying to browse ftp sites.

hth.