In this post we will see how to configure IPTABLES firewall rules for SQUID proxy server.
Proxy server will also act as router for LAN network to forward specific ports to external servers.
While I have tested below configuration on CentOS 6.7, it will also work on other Linux based system with little modifications.
Replace IP address in below rule with your IPs.
LAN Ethernet - eth0 #Interface Connected to LAN network
WAN Ethernet - eth1 #Interface Connected to Internet Connection.
LAN Subnet - 192.168.2.0/24
Login to CentOS system which you need to configure as a squid proxy and act as a router for your LAN.
I assume that you have already configured SQUID on your system.
To know how you can get squid working with easy steps, see my previous post about squid configuration.
Enable IP forwarding.
To enable IP forwarding at runtime you can enter below command.
#echo 1 > /proc/sys/net/ipv4/ip_forward
Add below line in /etc/sysctl.conf to enable ip forward during system boot.
net.ipv4.ip_forward = 1
IPTABLES Configuration for SQUID
Backup current/default iptables configuration.
#service iptables save
#cp /etc/sysconfig/iptables /root/iptables.backup
Flush all existing iptables rules.
#iptables -F#iptables -F -t nat
INPUT chain
Add all incoming connection rules in this chainAllow SSH from your LAN network
#iptables -I INPUT -s 192.168.2.0/24 -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Allow Ping from LAN Network
#iptables -I INPUT -s 192.168.2.0/24 -i eth0 -p icmp -j ACCEPT
Accept connection from LAN network for SQUID Port 8080
#iptables -A INPUT -s 192.168.2.0/24 -I eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 8080 -j ACCEPT
Allow everything on loop back interface
#iptables -A INPUT -i lo -j ACCEPT
Allow all incoming ESTABLISHED connections.
#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Block all other incoming connections.
#iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
FORWARD chain
Forward all packets from LAN network to its destination external IP or servers.Forward all outgoing SMTP request to its destination smtp server
#iptables -A FORWARD -s 192.168.2.0/24 -d smtp.example.com -i eth0 -o eth1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 -j ACCEPT
Forward all outgoing pop request to destination pop server.
#iptables -A FORWARD -s 192.168.2.0/24 -d pop.example.com -i eth0 -o eth1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 110 -j ACCEPT
Allow smtp and pop ports for gmail, outlook configuration.
#iptables -A FORWARD -s 192.168.2.0/24 -d pop.gmail.com -i eth0 -o eth1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 995 -j ACCEPT
#iptables -A FORWARD -s 192.168.2.0/24 -d smtp.gmail.com -i eth0 -o eth1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 465 -j ACCEPT
As gmail usages multiple IPs, you need to do nslookup and find all IPs for smtp.gmail.com and pop.gmail and allow in iptables.
Forward all outgoing FTP connection
#iptables -A FORWARD -s 192.168.2.9/32 -i eth0 -o eth1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 20 -j ACCEPT
#iptables -A FORWARD -s 192.168.2.9/32 -i eth0 -o eth1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 21 -j ACCEPT
Forward all outgoing ping request to external network.
#iptables -A FORWARD -s 192.168.2.0/24 -i eth0 -o eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
Forward all outgoing DNS request to external DNS servers, for small office network, we have to use ISP DNS servers or we can use google open DNS.
#iptables -A FORWARD -s 192.168.2.0/24 -d 8.8.8.8/32 -i eth0 -o eth1 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
#iptables -A FORWARD -s 192.168.2.0/24 -d 8.8.4.4/32 -i eth0 -o eth1 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
Forward all ESTABLISHED,RELATED connections from Internet to internal LAN network
#iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Reject all other FORWARD request
#iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
Mask all outgoing connection with Internet IP
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
With this all outgoing packets will use public IP address and hide internal LAN IP.
Save iptables configuration
#service iptables save
By default iptables service start at system boot, however make sure it is set start to avoid any issues.
-
vPRH
No comments:
Post a Comment