Iptables problem

I have iptables ruiing in our internet gateway which is a redhat linux 9 box. The gateway uses two NICs, one with public IP and the other with private IP. I also have squid running on it.
The problem is using squid, I am able to block unwanted sites (Like adult sites) by the url string matches.(Although I would love a better way). But as it was not possible for the LAN users to use mail clients like Outlook etc, through squid, I decided to use iptables with masquerading and let them access internet through it.
How can I block unwanted sites (Ex: adult websites) using iptables, or if possible, how can I use mail clients etc., like outlook etc, using squid.

-Thanks
LVL 3
mganeshAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ahoffmannCommented:
> ..  how can I use mail clients etc., like outlook etc, using squid.
what do you mean by that?

Outlook is mail (SMTP, IMAP, POP), suid is web (HTTP, HTTPS).
If your Outlook tries to connect any URLs, it uses IE, and so IE uses it's proxy settings.

If you don't want to rely on IE's settings you can do:

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to IP-of-Sqiud:3128

(assuming that you eth1 is the LAN interface)
 
0
mganeshAuthor Commented:
I was silly in not understanding the basics of squid. Thanks anyway. But how can achieve what I wanted. Allow port 80 through squid and all other SMTP etc, through iptables. My objective is to block the users fron viewing unwanted websites and also allow them to access their mails through mail clients. As simple as that.
0
ahoffmannCommented:
configure iptables as suggested, then all traffic on port 80 is redirected to squid where you can black- and/or white-list destiations (don't forget port 443)
All other ports are closed, like:
  iptables -P FORWARD DROP

> .. to access their mails through mail clients.
where is the mail server (MTA) they want to access?
I'd sugest to setup a MTA on the firewall which has to be used for all incoming and outgoing SMTP, then your clients only need access to this server, but not to the internet (on port 25).
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

mganeshAuthor Commented:
The mail servers which the users access are on the internet, some POP servers of our own company or others.
0
mganeshAuthor Commented:
Infact I tried your iptables script line and added it to the firewall script. But when any website is browsed, squid gives an error. This line of yours I am sure is doing the job of redirecting the traffic to squid. But why this error then? When I configure my IE to connect through squid, all is fine.
0
ahoffmannCommented:
ok, 3 problems now:
  1. iptables
  2. squid
  3. SMTP

I suggest that we focus on one: iptables (as in question)
If it works, next one could be solved.

So
  1. configure squid as forwarder, without any restrictions and/or acls
  2. check is your clients can access internet
     a) by using IE's proxy settings to your squid
     b) by using direct internet connection (which then gets redirected by iptables)
  3. describe results, and post resutls of
      iptables -L -n && iptables -L -n -t nat
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mganeshAuthor Commented:
Well,

Thanks ahoffmann for the lead. From your lead, I got the details from http://www.squid-cache.org/Doc/FAQ/FAQ-17.html (After I searched the net based on your hints). All is fine now. Thanks again
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.