Solved

Iptables problem

Posted on 2003-11-20
7
828 Views
Last Modified: 2010-05-18
I have iptables ruiing in our internet gateway which is a redhat linux 9 box. The gateway uses two NICs, one with public IP and the other with private IP. I also have squid running on it.
The problem is using squid, I am able to block unwanted sites (Like adult sites) by the url string matches.(Although I would love a better way). But as it was not possible for the LAN users to use mail clients like Outlook etc, through squid, I decided to use iptables with masquerading and let them access internet through it.
How can I block unwanted sites (Ex: adult websites) using iptables, or if possible, how can I use mail clients etc., like outlook etc, using squid.

-Thanks
0
Comment
Question by:mganesh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9788772
> ..  how can I use mail clients etc., like outlook etc, using squid.
what do you mean by that?

Outlook is mail (SMTP, IMAP, POP), suid is web (HTTP, HTTPS).
If your Outlook tries to connect any URLs, it uses IE, and so IE uses it's proxy settings.

If you don't want to rely on IE's settings you can do:

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to IP-of-Sqiud:3128

(assuming that you eth1 is the LAN interface)
 
0
 
LVL 3

Author Comment

by:mganesh
ID: 9795256
I was silly in not understanding the basics of squid. Thanks anyway. But how can achieve what I wanted. Allow port 80 through squid and all other SMTP etc, through iptables. My objective is to block the users fron viewing unwanted websites and also allow them to access their mails through mail clients. As simple as that.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9795685
configure iptables as suggested, then all traffic on port 80 is redirected to squid where you can black- and/or white-list destiations (don't forget port 443)
All other ports are closed, like:
  iptables -P FORWARD DROP

> .. to access their mails through mail clients.
where is the mail server (MTA) they want to access?
I'd sugest to setup a MTA on the firewall which has to be used for all incoming and outgoing SMTP, then your clients only need access to this server, but not to the internet (on port 25).
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 3

Author Comment

by:mganesh
ID: 9796174
The mail servers which the users access are on the internet, some POP servers of our own company or others.
0
 
LVL 3

Author Comment

by:mganesh
ID: 9796193
Infact I tried your iptables script line and added it to the firewall script. But when any website is browsed, squid gives an error. This line of yours I am sure is doing the job of redirecting the traffic to squid. But why this error then? When I configure my IE to connect through squid, all is fine.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
ID: 9799593
ok, 3 problems now:
  1. iptables
  2. squid
  3. SMTP

I suggest that we focus on one: iptables (as in question)
If it works, next one could be solved.

So
  1. configure squid as forwarder, without any restrictions and/or acls
  2. check is your clients can access internet
     a) by using IE's proxy settings to your squid
     b) by using direct internet connection (which then gets redirected by iptables)
  3. describe results, and post resutls of
      iptables -L -n && iptables -L -n -t nat
0
 
LVL 3

Author Comment

by:mganesh
ID: 9809798
Well,

Thanks ahoffmann for the lead. From your lead, I got the details from http://www.squid-cache.org/Doc/FAQ/FAQ-17.html (After I searched the net based on your hints). All is fine now. Thanks again
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
Suggested Courses

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question