On Thu, Aug 02, 2007 at 08:27:54PM +0200, Franck Joncourt wrote: > On Thu, Aug 02, 2007 at 02:26:07PM -0300, Harlei Liguori wrote: > > My current rule set test is: > > > Let's start with that : > > iptables -A INPUT -m RELATED, ESTABLISHED -j ACCEPT > iptables -A OUTPUT -m RELATED,ESTABLISHED -j ACCEPT > > Assuming you are running squid as a transparent proxy for http traffic > only. > > First of all, you have to redirect web traffic to port 3128. > iptables -t nat -A PREROUTING -p tcp \ > --dport 80 REDIRECT --to-port 3128 > > Then, you have to allow incoming traffic to port 3128 since web traffic > is redirected here. > > iptables -A INPUT -p tcp --syn --dport 3128 -j ACCEPT > > At the end, you have to allow outgoing traffic from your proxy to > Internet : > > iptables -A OUTPUT -p tcp --syn --dport 80 -j ACCEPT > > Thie is just an example, as I did not care about interfaces. > > Hope it helps. I really should read what I write :p! -m state --state ESTABLISHED,RELATED rather than -m RELATED... -m state --state NEW --syn rather than --syn I was assuming, as the others pointed out, your ruleset was not the few lines you wrote. Of course, with what I wrote you need more rules for a full firewall script. -- Franck Joncourt http://www.debian.org - http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
Attachment:
signature.asc
Description: Digital signature