Hi, I'm trying to restrict access to a few networks like 216.239.175.0/24 and 64.28.48.0/24 and individual addresses like mine, 64.112.226.198. Here is my problem:
I need to redirect port 81 to 8080 which is the port DansGuardian listens to. Here is rc.iptables: #=================================== #/bin/sh LOOPNET="127.0.0.0/8" LOCALNET="216.239.175.0/24" echo " Clearing existing configuration." /usr/sbin/iptables -P INPUT ACCEPT /usr/sbin/iptables -F INPUT /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -F OUTPUT /usr/sbin/iptables -P FORWARD ACCEPT /usr/sbin/iptables -F FORWARD /usr/sbin/iptables -F -t nat /usr/sbin/iptables -F logdrop /usr/sbin/iptables -X logdrop echo "Create Drop Chain." /usr/sbin/iptables -N logdrop /usr/sbin/iptables -A logdrop -j LOG --log-level info /usr/sbin/iptables -A logdrop -j DROP echo "INPUT Rule sets." /usr/sbin/iptables -A INPUT -i lo -j ACCEPT /usr/sbin/iptables -A INPUT -i eth0 -j ACCEPT /usr/sbin/iptables -A INPUT -i eth0 -s $LOOPNET -j logdrop /usr/sbin/iptables -A INPUT -i eth0 -d $LOOPNET -j logdrop /usr/sbin/iptables -A INPUT -i eth0 -s $LOCALNET -j ACCEPT echo "Redirect Web traffic through Dan's Guardian" /usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j REDIRECT --to-port 8080 #=================================== This works, but it lets the whole world in. Not good. DansGuardian acts as a front end to Squid which listens on 3128. Squid's logs show all traffic is coming from localhost, 127.0.0.1, so no security works here. DansGuardian doesn't have a way to limit access, so it has to happen with iptables. How do I? The networks and IP addresses change over time so it needs to be easy to adjust after it's in place. Thanks -- Bob Crandell Assured Computing When you need to be sure. [EMAIL PROTECTED] www.assuredcomp.com Voice - 541-689-9159 FAX - 541-463-1627 Eugene, Oregon _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
