I missread the email and thought you were sending to an internal server. ;)
Leo wrote: > Hello all, netfilter! > > Does the for use Squid with firewall and masq, it need 4 rules, if > default policy is DROP? > > > > > > eth1 int_ip eth0 ext_ip > | FIREWALL | > 1.-->> -->>3. > USER | | INET > 4.<<-- SQUID(3128) <<--4. > | | > > > > > 1.user request It will be: > iptables -t nat -A PREROUTING -i eth1 -s USER -p tcp --dport 80 -j DNAT --to >int_ip:3128 you should use REDIRECT --to-ports 3128 instead of DNAT > 2. allow squid to get out from firewall > iptables -A OUTPUT -o eth0 -s ext_ip -p tcp --dport 80 -j ACCEPT If you want to be paranoid, add a --sport 3128 since that is the port squid will talk to other servers on. > 3. allow packets from www server come to squid > iptables -A INPUT -i eth0 -d ext_ip -p tcp --sport 80 -j ACCEPT Add a --dport 3128 to make sure that only web servers responding to your squid traffic are talking to you, otherwise you might get people talking from port 80 and sending any traffic to your machine they want. :) > 4. allow answer squid to user > iptables -A OUTPUT -o eth1 -s int_ip -p tcp --sport 80 -j ACCEPT Add a -d internal network and change the --sport 80 -> --sport 3128. The --sport is the only crucial change. > > Is my head think in rigth direction? > I work on firewall with rule: what is not permited, that DROPED > And i make a rule for every step in long connections. > > P.S. i write this rules from my understending of working such local > processes as SQUID. :-) and i can make some mistake in them. > > Thanks! > > -- James A. Pattie [EMAIL PROTECTED] Linux -- SysAdmin / Programmer PC & Web Xperience, Inc. http://www.pcxperience.com/
