Solved

Iptables problem

Posted on 2003-11-20
7
822 Views
Last Modified: 2010-05-18
I have iptables ruiing in our internet gateway which is a redhat linux 9 box. The gateway uses two NICs, one with public IP and the other with private IP. I also have squid running on it.
The problem is using squid, I am able to block unwanted sites (Like adult sites) by the url string matches.(Although I would love a better way). But as it was not possible for the LAN users to use mail clients like Outlook etc, through squid, I decided to use iptables with masquerading and let them access internet through it.
How can I block unwanted sites (Ex: adult websites) using iptables, or if possible, how can I use mail clients etc., like outlook etc, using squid.

-Thanks
0
Comment
Question by:mganesh
  • 4
  • 3
7 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9788772
> ..  how can I use mail clients etc., like outlook etc, using squid.
what do you mean by that?

Outlook is mail (SMTP, IMAP, POP), suid is web (HTTP, HTTPS).
If your Outlook tries to connect any URLs, it uses IE, and so IE uses it's proxy settings.

If you don't want to rely on IE's settings you can do:

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to IP-of-Sqiud:3128

(assuming that you eth1 is the LAN interface)
 
0
 
LVL 3

Author Comment

by:mganesh
ID: 9795256
I was silly in not understanding the basics of squid. Thanks anyway. But how can achieve what I wanted. Allow port 80 through squid and all other SMTP etc, through iptables. My objective is to block the users fron viewing unwanted websites and also allow them to access their mails through mail clients. As simple as that.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9795685
configure iptables as suggested, then all traffic on port 80 is redirected to squid where you can black- and/or white-list destiations (don't forget port 443)
All other ports are closed, like:
  iptables -P FORWARD DROP

> .. to access their mails through mail clients.
where is the mail server (MTA) they want to access?
I'd sugest to setup a MTA on the firewall which has to be used for all incoming and outgoing SMTP, then your clients only need access to this server, but not to the internet (on port 25).
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 3

Author Comment

by:mganesh
ID: 9796174
The mail servers which the users access are on the internet, some POP servers of our own company or others.
0
 
LVL 3

Author Comment

by:mganesh
ID: 9796193
Infact I tried your iptables script line and added it to the firewall script. But when any website is browsed, squid gives an error. This line of yours I am sure is doing the job of redirecting the traffic to squid. But why this error then? When I configure my IE to connect through squid, all is fine.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
ID: 9799593
ok, 3 problems now:
  1. iptables
  2. squid
  3. SMTP

I suggest that we focus on one: iptables (as in question)
If it works, next one could be solved.

So
  1. configure squid as forwarder, without any restrictions and/or acls
  2. check is your clients can access internet
     a) by using IE's proxy settings to your squid
     b) by using direct internet connection (which then gets redirected by iptables)
  3. describe results, and post resutls of
      iptables -L -n && iptables -L -n -t nat
0
 
LVL 3

Author Comment

by:mganesh
ID: 9809798
Well,

Thanks ahoffmann for the lead. From your lead, I got the details from http://www.squid-cache.org/Doc/FAQ/FAQ-17.html (After I searched the net based on your hints). All is fine now. Thanks again
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Problems with WHM / cPanel OWASP ModSecurity..?? 3 421
iptables on bridged interface 4 101
Help with Security Onion/Snorby 14 102
CentOS 6.7 User Audit 3 96
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question