I have am using SQUID/DANSGUARDIAN to block and control internet access. The problem that I am having is sending e-mail. whenever I attempt to send e-mail through the proxy I cannot. I believe it will connects to the smtp server on the ISP ok because I can download e-mails but when I try and send an e-mail out it always fails and says that it cannot communication with the SMTP host.I starts to send the e-mail with an attachment but fails at like 2 percent of the transmission. What could this be? How do I open up ports 25 and 110 so that my e-mail clients go around the proxy instead of opening up the internet and not having any control?

I don't think going through a proxy for outbound SMTP/POP connections protects you from people accessing you from the internet more than allowing clients to connect directly. The difference in your firewall is that you allow new connections to those ports in the FORWARD chain (and established connections for the return packets), instead of the OUTPUT chain. In both cases the packets leave your box from an unprivileged port (>1024) to 25 or 110 and return to the unprivileged port.

Was there another reason you wanted to do this?

I always get confused over the chains, this is what I understand:

INPUT - stuff coming from the outside trying to access the firewall and also to control stuff that is able to access the firewall from the LAN as well

OUTPUT - controls what goes out!

FORWARD - This is the one that is confusing the heck out of me - With this chain I guess you control what goes through the firewall and back out.

PREROUTING - controls how the packets are handled before entering the network.

POSTROUTING - how the packets are handling before leaving the network.

Please answer these questions to clarify iptables:

what is the purpose of having OUTPUT when you have a chain like FORWARD which can also control stuff going out.

If you can clarify PREROUTING as well?

Basically, FORWARDed packets pass through the firewall box without a local destination, ie they don't start or stop there. However, packets that go along the OUTPUT chain start on the firewall box and packets that go along the INPUT chain finish on the firewall box.

As an example, if you provide internet access to your users without a proxy server, the packets use the FORWARD chain to go through your box to the remote web server and back again. When they use your proxy server, the packets arrive at the firewall/proxy and are processed on the INPUT chain and given to your proxy server. It then sends them to the remote web server from the firewall's OUTPUT chain.

For a better explanation, there's a useful document at http://iptables-tutorial.frozentux.n...ERSINGOFTABLES that covers the path that packets take through the various chains under different scenarios.

For PREROUTING, have a look at http://iptables-tutorial.frozentux.n...REROUTINGCHAIN.

Hope that helps...

many thanks