Dear Friend....
The examples below are based on the discussion of Linux iptables in Chapter 14, "
Linux Firewalls Using iptables". Additional commands may be necessary for you particular network topology.
In both cases below, the firewall is connected to the Internet
on interface eth0 and to the home network on interface eth1. The
firewall is also the default gateway for the home network and handles
network address translation on all the network's traffic to the
Internet.
Only the Squid server has access to the Internet on port 80
(HTTP), because all HTTP traffic, except that coming from the Squid
server, is redirected.
If the Squid server and firewall are the same server, all HTTP
traffic from the home network is redirected to the firewall itself on
the Squid port of 3128 and then only the firewall itself is allowed to
access the Internet on port 80.
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
-j REDIRECT --to-port 3128
iptables -A INPUT -j ACCEPT -m state \
--state NEW,ESTABLISHED,RELATED -i eth1 -p tcp \
--dport 3128
iptables -A OUTPUT -j ACCEPT -m state \
--state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \
--dport 80
iptables -A INPUT -j ACCEPT -m state \
--state ESTABLISHED,RELATED -i eth0 -p tcp \
--sport 80
iptables -A OUTPUT -j ACCEPT -m state \
--state ESTABLISHED,RELATED -o eth1 -p tcp \
--sport 80
Note: This example is specific to HTTP traffic. You won't be
able to adapt this example to support HTTPS web browsing on TCP port
443, as that protocol specifically doesn't allow the insertion of a
"man in the middle" server for security purposes. One solution is to
add IP masquerading statements for port 443, or any other important
traffic, immediately after the code snippet. This will allow non HTTP
traffic to access the Internet without being cached by Squid.
If the Squid server and firewall are different servers, the
statements are different. You need to set up iptables so that all
connections to the Web, not originating from the Squid server, are
actually converted into three connections; one from the Web browser
client to the firewall and another from the firewall to the Squid
server, which triggers the Squid server to make its own connection to
the Web to service the request. The Squid server then gets the data and
replies to the firewall which then relays this information to the Web
browser client. The iptables program does all this using these NAT
statements:
iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.1.100 \
-p tcp --dport 80 -j DNAT --to 192.168.1.100:3128
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 \
-d 192.168.1.100 -j SNAT --to 192.168.1.1
iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.1.100 \
-i eth1 -o eth1 -m state
--state NEW,ESTABLISHED,RELATED \
-p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -s 192.168.1.100 \
-i eth1 -o eth1 -m state --state ESTABLISHED,RELATED \
-p tcp --sport 3128 -j ACCEPT
In the first statement all HTTP traffic from the home network except
from the Squid server at IP address 192.168.1.100 is redirected to the
Squid server on port 3128 using destination NAT. The second statement
makes this redirected traffic also undergo source NAT to make it appear
as if it is coming from the firewall itself. The FORWARD statements are
used to ensure the traffic is allowed to flow to the Squid server after
the NAT process is complete. The unusual feature is that the NAT all
takes place on one interface; that of the home network (eth1).
You will additionally have to make sure your firewall has rules
to allow your Squid server to access the Internet on HTTP TCP port 80
as covered in Chapter 14, "
Linux Firewalls Using iptables".
Good Luck!
×