iptables secure squid proxy

Posted by Lytithwyn on Server Fault See other posts from Server Fault or by Lytithwyn
Published on 2009-09-17T19:38:36Z Indexed on 2010/04/16 11:03 UTC
Read the original article Hit count: 316

Filed under:
|
|
|

I have a setup where my incoming internet connection feeds into a squid proxy/caching server, and from there into my local wireless router.

On the wan side of the proxy server, I have eth0 with address 208.78.∗∗∗.∗∗∗
On the lan side of the proxy server, I have eth1 with address 192.168.2.1

Traffic from my lan gets forwarded through the proxy transparently to the internet via the following rules. Note that traffic from the squid server itself is also routed through the proxy/cache, and this is on purpose:

# iptables forwarding
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE

# iptables for squid transparent proxy
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.2.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

How can I set up iptables to block any connections made to my server from the outside, while not blocking anything initiated from the inside? I have tried doing:

iptables -A INPUT -i eth0 -s 192.168.2.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -j REJECT

But this blocks everything. I have also tried reversing the order of those commands in case I got that part wrong, but that didn't help. I guess I don't fully understand everything about iptables.

Any ideas?

© Server Fault or respective owner

Related posts about linux

Related posts about proxy