Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Iptables problem

Posted on 2003-11-20
7
Medium Priority
?
832 Views
Last Modified: 2010-05-18
I have iptables ruiing in our internet gateway which is a redhat linux 9 box. The gateway uses two NICs, one with public IP and the other with private IP. I also have squid running on it.
The problem is using squid, I am able to block unwanted sites (Like adult sites) by the url string matches.(Although I would love a better way). But as it was not possible for the LAN users to use mail clients like Outlook etc, through squid, I decided to use iptables with masquerading and let them access internet through it.
How can I block unwanted sites (Ex: adult websites) using iptables, or if possible, how can I use mail clients etc., like outlook etc, using squid.

-Thanks
0
Comment
Question by:mganesh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9788772
> ..  how can I use mail clients etc., like outlook etc, using squid.
what do you mean by that?

Outlook is mail (SMTP, IMAP, POP), suid is web (HTTP, HTTPS).
If your Outlook tries to connect any URLs, it uses IE, and so IE uses it's proxy settings.

If you don't want to rely on IE's settings you can do:

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to IP-of-Sqiud:3128

(assuming that you eth1 is the LAN interface)
 
0
 
LVL 3

Author Comment

by:mganesh
ID: 9795256
I was silly in not understanding the basics of squid. Thanks anyway. But how can achieve what I wanted. Allow port 80 through squid and all other SMTP etc, through iptables. My objective is to block the users fron viewing unwanted websites and also allow them to access their mails through mail clients. As simple as that.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9795685
configure iptables as suggested, then all traffic on port 80 is redirected to squid where you can black- and/or white-list destiations (don't forget port 443)
All other ports are closed, like:
  iptables -P FORWARD DROP

> .. to access their mails through mail clients.
where is the mail server (MTA) they want to access?
I'd sugest to setup a MTA on the firewall which has to be used for all incoming and outgoing SMTP, then your clients only need access to this server, but not to the internet (on port 25).
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 3

Author Comment

by:mganesh
ID: 9796174
The mail servers which the users access are on the internet, some POP servers of our own company or others.
0
 
LVL 3

Author Comment

by:mganesh
ID: 9796193
Infact I tried your iptables script line and added it to the firewall script. But when any website is browsed, squid gives an error. This line of yours I am sure is doing the job of redirecting the traffic to squid. But why this error then? When I configure my IE to connect through squid, all is fine.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 750 total points
ID: 9799593
ok, 3 problems now:
  1. iptables
  2. squid
  3. SMTP

I suggest that we focus on one: iptables (as in question)
If it works, next one could be solved.

So
  1. configure squid as forwarder, without any restrictions and/or acls
  2. check is your clients can access internet
     a) by using IE's proxy settings to your squid
     b) by using direct internet connection (which then gets redirected by iptables)
  3. describe results, and post resutls of
      iptables -L -n && iptables -L -n -t nat
0
 
LVL 3

Author Comment

by:mganesh
ID: 9809798
Well,

Thanks ahoffmann for the lead. From your lead, I got the details from http://www.squid-cache.org/Doc/FAQ/FAQ-17.html (After I searched the net based on your hints). All is fine now. Thanks again
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question