> On Thu, Aug 02, 2007 at 02:26:07PM -0300, Harlei Liguori wrote:
> > My current rule set test is:
> >
> Let's start with that :
>
> iptables -A INPUT -m RELATED, ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -m RELATED,ESTABLISHED -j ACCEPT
>
> Assuming you are running squid as a transparent proxy for http traffic
> only.
>
> First of all, you have to redirect web traffic to port 3128.
> iptables -t nat -A PREROUTING -p tcp \
> --dport 80 REDIRECT --to-port 3128
>
> Then, you have to allow incoming traffic to port 3128 since web traffic
> is redirected here.
>
> iptables -A INPUT -p tcp --syn --dport 3128 -j ACCEPT
>
> At the end, you have to allow outgoing traffic from your proxy to
> Internet :
>
> iptables -A OUTPUT -p tcp --syn --dport 80 -j ACCEPT
>
> Thie is just an example, as I did not care about interfaces.
>
> Hope it helps.
I really should read what I write :p!
-m state --state ESTABLISHED,RELATED rather than -m RELATED...
-m state --state NEW --syn rather than --syn
I was assuming, as the others pointed out, your ruleset was not the few
lines you wrote. Of course, with what I wrote you need more rules for a
full firewall script.
--
Franck Joncourt
http://www.debian.org - http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
No comments:
Post a Comment