Dear Antony Stone, In fact I recently converted Squid 3.1 and less idea of iptable rules used there, it was also working as router for internet so i confused with normal proxy.
> -A INPUT -j LOG Do you really want to log every packet hitting your machine? What use is that information? *@--- You are right, i don't need it * > -A INPUT -j DROP That will prevent ALL packets from entering the machine - nothing can work. You need to allow ESTABLISHED and RELATED packets before DROPping anything. *@- correct, i will add established related rule here* *-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT * > Then allow > -A INPUT-i eth1 -j ACCEPT There's no point putting a rule like this after "INPUT -j DROP". Everything has been DROPped already, whether it came from eth1 or not... Remember that IPtables rules work on a "first match wins" basis. *@- my mistake, it was before drop rule to access SSH, from LAN* > -A FORWARD -i eth1 -j ACCEPT Er, wait, is this a forwarding router, or a Squid server accepting requests on eth1 and sending them out on eth0? @- i dont need, will remove it > but its block traffic. Can you please help me what allow rule will works > for Squid 3.5 when i secure my WAN. Please give us more details of your network - I understand that the machien running Squid has two interfaces, but is it only ascting as a proxy, or is it also a forwarding router for other traffic? *@- it is only working as squid, LAN side is consists of two vlans and we will configure 100 users to use internet. we will limit 2 MB per user @ maximum bandwidth while 1 MB for only FB/Youtube users.* Squid 3.5 is working fine, but i want to secure WAN eth0 for any unauthentic user access . I only need to configure simple iptables rules to secure it. On Mon, Apr 17, 2017 at 5:53 PM, Antony Stone < antony.st...@squid.open.source.it> wrote: > On Monday 17 April 2017 at 14:45:55, Arsalan Hussain wrote: > > > Dear Sir Amos > > :) > > > I had reconfigured Squid 3.5 and it works fine. but i want to protect WAN > > interface through IPTABLES > > > > 1- can you help me chain rule of simple iptable which drop all trafic > from > > WAN eth0 to secure and allow squid user request from LAN eth1 only. (my > > WAN send flood by public and it waste my all bandwidth) > > > > For Example: > > -A INPUT -j LOG > > Do you really want to log every packet hitting your machine? > > What use is that information? > > > -A INPUT -j DROP > > That will prevent ALL packets from entering the machine - nothing can work. > > You need to allow ESTABLISHED and RELATED packets before DROPping anything. > > > Then allow > > -A INPUT-i eth1 -j ACCEPT > > There's no point putting a rule like this after "INPUT -j DROP". > Everything > has been DROPped already, whether it came from eth1 or not... > > Remember that IPtables rules work on a "first match wins" basis. > > > -A FORWARD -i eth1 -j ACCEPT > > Er, wait, is this a forwarding router, or a Squid server accepting > requests on > eth1 and sending them out on eth0? > > > but its block traffic. Can you please help me what allow rule will works > > for Squid 3.5 when i secure my WAN. > > Please give us more details of your network - I understand that the machien > running Squid has two interfaces, but is it only ascting as a proxy, or is > it > also a forwarding router for other traffic? > > Also, have you read any documantation on IPtables, to get some examples of > standard configurations? > > > And finally, you numbered the question above with a "1". Is there a "2"? > > > Antony. > > -- > Most people have more than the average number of legs. > > Please reply to the > list; > please *don't* CC > me. > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- With Regards, *Arsalan Hussain* *Assistant Director, Networks & Information System* *PRESTON UNIVERSITY* Add: Plot: 85, Street No: 3, Sector H-8/1, Islamabad, Pakistan Cell: +92-322-5018611 UAN: (51) 111-707-808 (Ext: 443) *If you are too lazy to plow now, don't expect a harvest, later*
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
