Kevin Kropf wrote: > > I am not that familiar with ipchains and was hoping for a little more > > detail. > > I put together the following command from the info on the squid FAQ: > > $IPCH -A input -p tcp -d 0/0 80 -j REDIRECT 3128 > > However I am not sure what else is needed and where to put it in > > ipfilter.conf > > > > Thanks for any help on this.
Todd Pearsall replied: > You can create a file in /etc named ipchains.input and add the command: > ipchains -A input -p tcp -d 0/0 www -j REDIRECT 3128 > > If you are worried about users bypassing the proxy you can add following to > block non-proxy web traffic > ipchains -A input -i eth1 -d 0/0 www -j reject > > With those lines added type > "svi network ipfilter reload" > this will reload the rules including the ones in the /etc/ipchains.input > file. > > Charles added the ipchains.input , ipchains.output and ipchains.forward > cabability so you could extend the rules w/o editing the ipfilter.conf > directly. As Todd mentioned, the place for this rule is /etc/ipchains.input. There are a few other things to be aware of, however. One big issue is the fact that inbound connections to high ports (>=1024) are allowed by the default firewall rules. In addition to configuring squid so it only answered requests from internal network(s), I'd also want to block inbound connection attemts to squid from the internet. Port-scanners have taken to using proxies (as well as zombies) to do their port-scanning dirty work for them, and I'm sure you don't want that happening with your systems. Anyway, start with a deny of any squid requests from the internet: $IPCH -A input -p tcp -d 0/0 3128 -i $EXTERN_IF If you're running (or port-forwarding) a web server from your LRP box, you need rules to allow that traffic rather than redirecting it to squid. For internal access to weblet, you need something like: $IPCH -A input -j ACCEPT -p tcp -d $INTERN_IP www -i $INTERN_IF For a publicly visible webserver, you need something like the following, due to where the ipchains.input file rules get added to the overall rule-chain: $IPCH -A input -j ACCEPT -p tcp -d $EX_IP www -i $EXTERN_IF Finally, you can redirect all other web queries to your squid proxy: $IPCH -A input -j REDIRECT 3128 -p tcp -d 0/0 www Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
