Solved

Iptables problem

Posted on 2003-11-20
7
820 Views
Last Modified: 2010-05-18
I have iptables ruiing in our internet gateway which is a redhat linux 9 box. The gateway uses two NICs, one with public IP and the other with private IP. I also have squid running on it.
The problem is using squid, I am able to block unwanted sites (Like adult sites) by the url string matches.(Although I would love a better way). But as it was not possible for the LAN users to use mail clients like Outlook etc, through squid, I decided to use iptables with masquerading and let them access internet through it.
How can I block unwanted sites (Ex: adult websites) using iptables, or if possible, how can I use mail clients etc., like outlook etc, using squid.

-Thanks
0
Comment
Question by:mganesh
  • 4
  • 3
7 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9788772
> ..  how can I use mail clients etc., like outlook etc, using squid.
what do you mean by that?

Outlook is mail (SMTP, IMAP, POP), suid is web (HTTP, HTTPS).
If your Outlook tries to connect any URLs, it uses IE, and so IE uses it's proxy settings.

If you don't want to rely on IE's settings you can do:

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to IP-of-Sqiud:3128

(assuming that you eth1 is the LAN interface)
 
0
 
LVL 3

Author Comment

by:mganesh
ID: 9795256
I was silly in not understanding the basics of squid. Thanks anyway. But how can achieve what I wanted. Allow port 80 through squid and all other SMTP etc, through iptables. My objective is to block the users fron viewing unwanted websites and also allow them to access their mails through mail clients. As simple as that.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9795685
configure iptables as suggested, then all traffic on port 80 is redirected to squid where you can black- and/or white-list destiations (don't forget port 443)
All other ports are closed, like:
  iptables -P FORWARD DROP

> .. to access their mails through mail clients.
where is the mail server (MTA) they want to access?
I'd sugest to setup a MTA on the firewall which has to be used for all incoming and outgoing SMTP, then your clients only need access to this server, but not to the internet (on port 25).
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 3

Author Comment

by:mganesh
ID: 9796174
The mail servers which the users access are on the internet, some POP servers of our own company or others.
0
 
LVL 3

Author Comment

by:mganesh
ID: 9796193
Infact I tried your iptables script line and added it to the firewall script. But when any website is browsed, squid gives an error. This line of yours I am sure is doing the job of redirecting the traffic to squid. But why this error then? When I configure my IE to connect through squid, all is fine.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
ID: 9799593
ok, 3 problems now:
  1. iptables
  2. squid
  3. SMTP

I suggest that we focus on one: iptables (as in question)
If it works, next one could be solved.

So
  1. configure squid as forwarder, without any restrictions and/or acls
  2. check is your clients can access internet
     a) by using IE's proxy settings to your squid
     b) by using direct internet connection (which then gets redirected by iptables)
  3. describe results, and post resutls of
      iptables -L -n && iptables -L -n -t nat
0
 
LVL 3

Author Comment

by:mganesh
ID: 9809798
Well,

Thanks ahoffmann for the lead. From your lead, I got the details from http://www.squid-cache.org/Doc/FAQ/FAQ-17.html (After I searched the net based on your hints). All is fine now. Thanks again
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now