Insert IPTABLES rule

Posted on 2009-04-26
Last Modified: 2012-05-06
Hi guys, I am running iptables for a squid transparent proxy, and it is working fine. I have two questions:

1. On CentOS how do i ensure that this script auto runs at boot (script below).
2. How do I insert a rule into this script that will allow ssh access from a host to the squid proxy?

# squid server IP


# Interface connected to Internet


# Interface connected to LAN


# Squid port



# Clean old firewall

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support

modprobe ip_conntrack

modprobe ip_conntrack_ftp

# For win xp ftp client

#modprobe ip_nat_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy

iptables -P INPUT DROP


# Unlimited access to loop back

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP

iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN

iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE

iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

# unlimited access to LAN

iptables -A INPUT -i $LAN_IN -j ACCEPT

iptables -A OUTPUT -o $LAN_IN -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system

iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it

iptables -A INPUT -j LOG

iptables -A INPUT -j DROP

Open in new window

Question by:dbtouraust
    LVL 29

    Expert Comment

    In Centos you should have iptables install by defualt

    you can add iptables rules from shell

    then Save the rules

    server iptables save

    then resart iptables to make this work

    service iptables restart


    you cann add that script in

    /etc/rc.local file

    so when system will boot, those rules will be add to the iptables automaticaly
    LVL 1

    Author Comment

    Thanks, but the question was more about the syntax for allowing ssh access from one host to another, in the above script.
    LVL 29

    Accepted Solution

    Ok to allow ssh
    add thise rules in your iptables
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    LVL 1

    Author Closing Comment

    Thanks for the help, it worked!

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    security question 7 56
    IPS Logs NMap Scans 1 79
    Cisco ACS 3415 - making a bootable USB 3 42
    Security Permissions Issues 10 33
    Most computer users do not realize how important their passwords are. Here’s the straight scoop on why you need a good password and how to create super strong passwords that are easy to remember and hard to crack. Thieves Are Trying to Steal Yo…
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now