# iptables configuration

## FGor

Dose this iptables config look safe/smart (for a home router/gateway dealy)?

I realy dont know 100% what I am doing here... 

```

clear

echo " "

echo "Running Routing And Firewall Script..."

echo " "

echo "Clearing Chains..."

iptables -F

iptables -X

echo "Setting Default Policys..."

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

echo "Activating Masquerade..."

iptables -t nat -A POSTROUTING -o wan -j MASQUERADE

iptables -A FORWARD -i lan -j ACCEPT

echo "Allowing Related Connections..."

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# ------------ Forwarding [START] ------------

echo "Opening Forwarding Ports..."

iptables -A INPUT -p tcp --dport 21 -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 47 -j ACCEPT

iptables -A INPUT -p tcp --dport 1723 -j ACCEPT

# ------------- Forwarding [END] -------------

echo "Routing Torrents via Ipredator..."

iptables -A INPUT -i ppp0 -p tcp --dport 4400:44010 -j ACCEPT

iptables -A OUTPUT -o ppp0 -p tcp --dport 4400:44010 -j ACCEPT

echo "Routing Web Trafic via Squid..."

# iptables -t nat -A PREROUTING -i lan -p tcp --dport 80 -j REDIRECT --to-port 2000

echo "Droping Crap..."

iptables -A INPUT -i wan -j DROP

echo " "

echo "Done!"

echo " "

```

ppp0 is a pptp tunnel for safe torrent downloads.

I renamed my network cards, so wan and lan are accurate.

----------

## d2_racing

No it's not safe, because right now, you don't block anything  :Razz: 

```

iptables -P INPUT ACCEPT 

iptables -P OUTPUT ACCEPT 

iptables -P FORWARD ACCEPT 

```

From a Linux eye, you need to block everything and then open what you want.

Right now, it's like a Windows eye, everything is open and you want to block something.Last edited by d2_racing on Fri Jan 15, 2010 1:05 pm; edited 1 time in total

----------

## d2_racing

This is a really simple iptable :

```

#!/bin/bash

# Constantes

IPT=/sbin/iptables

IPTS="/sbin/iptables-save"

IPTR="/sbin/iptables-restore"

# Interface qui est dans votre réseau local (LAN)

LOCAL_IFACE="eth0"

# Interface qui est sur Internet (WAN)

INET_IFACE="eth1"

# Adresse de votre passerelle (Firewall)

LOCAL_IP="192.168.1.1" 

LOCAL_NET="192.168.1.0/24" (Sous-réseau avec le masque 255.255.255.0)

LOCAL_BCAST="192.168.1.255" (Adresse de broadcast.)

# Interface Loopback

LO_IFACE="lo"

LO_IP="127.0.0.1"

$IPT -P INPUT ACCEPT

$IPT -P FORWARD ACCEPT

$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

# Les tables sont effacées.

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F

$IPT -X

$IPT -t nat -X

$IPT -t mangle -X

# Le comportement par défaut est de bloquer le trafic.

$IPT -P INPUT DROP

$IPT -P OUTPUT DROP

$IPT -P FORWARD DROP

# Si un packet est invalide, on le drop pour ne pas causer d'erreur

$IPT -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A INPUT -m state --state INVALID -j DROP

# Tout le trafic venant de l'interface Loopback est accepté.

$IPT -A INPUT -i $LO_IFACE -p ALL -j ACCEPT

# On accepte le trafic en entrée si et seulement si il a été initié par un client du LAN

$IPT -A INPUT -i $LOCAL_IFACE -p ALL  -m state --state ESTABLISHED,RELATED -j ACCEPT

# Si on reçoit un packet qui arrive sur l'interface eth1 et qu'il ne provient pas du LAN, c'est un packet qui est spoofé.

$IPT -A INPUT -i $LOCAL_IFACE -s ! $LOCAL_NET -j DROP

# On accepte seulement ce type de packet ICMP dans le LAN

$IPT -A INPUT -i $LOCAL_IFACE -p ICMP --icmp-type time-exceeded -j ACCEPT

# On accepte une connection SSH sur le firewall si le client est dans le LAN

$IPT -A INPUT -i $LOCAL_IFACE -p tcp -s $LOCAL_NET --dport 22 --syn -m state --state NEW -j ACCEPT

# On accepte le trafic en entrée si et seulement si il a été initié par un client du LAN

$IPT -A INPUT -i $INET_IFACE  -p ALL  -m state --state ESTABLISHED,RELATED -j ACCEPT

# On accepte seulement ce type de packet ICMP s'il provient d'internet

$IPT -A INPUT -i $INET_IFACE  -p ICMP --icmp-type time-exceeded -j ACCEPT

# On drop les packets de type broadcast

$IPT -A INPUT -i $INET_IFACE -m pkttype --pkt-type broadcast -j DROP

# Si le packet vient d'internet et il y a un problème au niveau des flags, on le drop.

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL NONE -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Si le packet est invalide, on le drop

$IPT -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A FORWARD -m state --state INVALID -j DROP

# On redirige un packet vers le LAN si celui-ci pointe vers le LAN

$IPT -A FORWARD -i $INET_IFACE -p ALL  -d $LOCAL_NET  -j ACCEPT

# Si le packet arrive sur le LAN on accepte qu'il soit redirigé

$IPT -A FORWARD -i $LOCAL_IFACE -p ALL -s $LOCAL_NET -j ACCEPT

# Si le packet arrive sur le LAN et qu'il n'est pas dans le range d'adresse du LAN, on le drop

$IPT -A FORWARD -i $LOCAL_IFACE -s ! $LOCAL_NET -j DROP

$IPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A OUTPUT -m state --state INVALID -j DROP

# On permet le trafic en sortie

$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

$IPT -A OUTPUT -p ALL -s $LO_IP    -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

# Puisqu'on est derrière un firewall et qu'on doit utiliser la fonction NAT pour communiquer avec l'internet.

$IPT -t nat -A PREROUTING -i lan -p tcp --dport 80 -j REDIRECT --to-port 2000 

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

```

----------

## d2_racing

This one is even more parano(safe)

```

#!/bin/bash

# Constantes

IPT=/sbin/iptables

IPTS="/sbin/iptables-save"

IPTR="/sbin/iptables-restore"

# Interface qui est dans votre réseau local (LAN)

LOCAL_IFACE="eth0"

# Interface qui est sur Internet (WAN)

INET_IFACE="eth1"

# Adresse de votre passerelle (Firewall)

LOCAL_IP="192.168.1.1" 

LOCAL_NET="192.168.1.0/24" (Sous-réseau avec le masque 255.255.255.0)

LOCAL_BCAST="192.168.1.255" (Adresse de broadcast.)

# Interface Loopback

LO_IFACE="lo"

LO_IP="127.0.0.1"

$IPT -P INPUT ACCEPT

$IPT -P FORWARD ACCEPT

$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

# Les tables sont effacées.

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F

$IPT -X

$IPT -t nat -X

$IPT -t mangle -X

# Le comportement par défaut est de bloquer le trafic.

$IPT -P INPUT DROP

$IPT -P OUTPUT DROP

$IPT -P FORWARD DROP

# Si un packet est invalide, on le drop pour ne pas causer d'erreur

$IPT -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A INPUT -m state --state INVALID -j DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -i $LOCAL_IFACE -s ! $LOCAL_NET -j LOG --log-prefix "SPOOFED PKT "

$IPTABLES -A INPUT -i $LOCAL_IFACE -s ! $LOCAL_NET -j DROP

# Tout le trafic venant de l'interface Loopback est accepté.

$IPT -A INPUT -i $LO_IFACE -p ALL -j ACCEPT

# On accepte seulement ce type de packet ICMP dans le LAN

$IPT -A INPUT -i $LOCAL_IFACE -p ICMP --icmp-type time-exceeded -j ACCEPT

# On accepte une connection SSH sur le firewall si le client est dans le LAN

$IPT -A INPUT -i $LOCAL_IFACE -p tcp -s $LOCAL_NET --dport 22 --syn -m state --state NEW -j ACCEPT

$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# On drop les packets de type broadcast

$IPT -A INPUT -i $INET_IFACE -m pkttype --pkt-type broadcast -j DROP

# Si le packet vient d'internet et il y a un problème au niveau des flags, on le drop.

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL NONE -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

$IPT -A INPUT -i ! $LO_IFACE -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

# Si le packet est invalide, on le drop

$IPT -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A FORWARD -m state --state INVALID -j DROP

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $LOCAL_IFACE -s ! $LOCAL_NET -j LOG --log-prefix "SPOOFED PKT "

$IPT -A FORWARD -i $LOCAL_IFACE -s ! $LOCAL_NET -j DROP

$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -s $LOCAL_NET --dport 21 --syn -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -s $LOCAL_NET --dport 22 --syn -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -s $LOCAL_NET --dport 25 --syn -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p tcp --dport 110 --syn -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p all --dport 53 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

### default LOG rule

$IPT -A FORWARD -i ! $LO_IFACE -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

$IPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A OUTPUT -m state --state INVALID -j DROP

$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 110 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p all --dport 53 -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

# On permet le trafic en sortie

$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

$IPT -A OUTPUT -p ALL -s $LO_IP    -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

$IPT -A OUTPUT -o ! $LO_IFACE -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

# Puisqu'on est derrière un firewall et qu'on doit utiliser la fonction NAT pour communiquer avec l'internet.

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

```

----------

## d2_racing

Feel free to ask any questions, I can help you to setup your iptables rules.

Also,  I need to know what you really want to do with your box.

----------

## remix

i'm new to this too.

how would you write it if you only have one interface to WAN

and you want to block everything except port 22, 80, and 443 ?

and then how do you run it? do you just run the script once and it's all set?

----------

## d2_racing

First, your firewall will be use as a gateway and you will use a PC behind it right ?

```

   WAN

    | 

  Firewall

   /    \

 PC    PC

```

----------

## d2_racing

Ok, for that is simple, you need this :

```

#!/bin/bash

# Constantes

IPT=/sbin/iptables

IPTS="/sbin/iptables-save"

IPTR="/sbin/iptables-restore"

# Interface qui est dans votre réseau local (LAN)

LOCAL_IFACE="eth0"

# Interface qui est sur Internet (WAN)

INET_IFACE="eth1"

# Adresse de votre passerelle (Firewall)

LOCAL_IP="192.168.1.1" 

LOCAL_NET="192.168.1.0/24" (Sous-réseau avec le masque 255.255.255.0)

LOCAL_BCAST="192.168.1.255" (Adresse de broadcast.)

# Interface Loopback

LO_IFACE="lo"

LO_IP="127.0.0.1"

$IPT -P INPUT ACCEPT

$IPT -P FORWARD ACCEPT

$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

# Les tables sont effacées.

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F

$IPT -X

$IPT -t nat -X

$IPT -t mangle -X

# Le comportement par défaut est de bloquer le trafic.

$IPT -P INPUT DROP

$IPT -P OUTPUT DROP

$IPT -P FORWARD DROP

# Si un packet est invalide, on le drop pour ne pas causer d'erreur

$IPT -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A INPUT -m state --state INVALID -j DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -i $LOCAL_IFACE -s ! $LOCAL_NET -j LOG --log-prefix "SPOOFED PKT "

$IPTABLES -A INPUT -i $LOCAL_IFACE -s ! $LOCAL_NET -j DROP

# Tout le trafic venant de l'interface Loopback est accepté.

$IPT -A INPUT -i $LO_IFACE -p ALL -j ACCEPT

# On accepte seulement ce type de packet ICMP dans le LAN

$IPT -A INPUT -i $LOCAL_IFACE -p ICMP --icmp-type time-exceeded -j ACCEPT

$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# On drop les packets de type broadcast

$IPT -A INPUT -i $INET_IFACE -m pkttype --pkt-type broadcast -j DROP

# Si le packet vient d'internet et il y a un problème au niveau des flags, on le drop.

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL NONE -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A INPUT -i $INET_IFACE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

$IPT -A INPUT -i ! $LO_IFACE -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

# Si le packet est invalide, on le drop

$IPT -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A FORWARD -m state --state INVALID -j DROP

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $LOCAL_IFACE -s ! $LOCAL_NET -j LOG --log-prefix "SPOOFED PKT "

$IPT -A FORWARD -i $LOCAL_IFACE -s ! $LOCAL_NET -j DROP

$IPT -A FORWARD -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

### default LOG rule

$IPT -A FORWARD -i ! $LO_IFACE -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

$IPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A OUTPUT -m state --state INVALID -j DROP

$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

# On permet le trafic en sortie

$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

$IPT -A OUTPUT -p ALL -s $LO_IP    -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

$IPT -A OUTPUT -o ! $LO_IFACE -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

# Puisqu'on est derrière un firewall et qu'on doit utiliser la fonction NAT pour communiquer avec l'internet.

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

```

And that's about it, 

man, that's my 10 000 posts  :Razz:  

----------

## remix

awesome~! 

thanks, and grats on 10,000

----------

## d2_racing

I suggest that you read this howto one day : http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

And this one is pretty hot : http://oreilly.com/catalog/9781593271411

And my bible : http://oreilly.com/catalog/9780596005696/

----------

## FGor

thanks for all the input guys  :Smile: 

it realy hard to get help with manual configuration of iptables these days  :Razz: 

 *d2_racing wrote:*   

> No it's not safe, because right now, you don't block anything 
> 
> Code:
> 
> iptables -P INPUT ACCEPT
> ...

 

what about the line: 

```
iptables -A INPUT -i wan -j DROP 
```

dosent that mean that every thing not stated in the rules:

```
iptables -A INPUT -p tcp --dport 21 -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 47 -j ACCEPT

iptables -A INPUT -p tcp --dport 1723 -j ACCEPT 
```

is droped?

what i whant from my iptables is a safe (dont read un hackabel, its a home server not a fbi data bank), and fast firewall wich allowes me to surf the web with squid and download torrents privatly via the ipredator vpn service. thats about it.

thanks for the firewall scripts btw. they are nog for me tough im going for the simpler aproch.

----------

## d2_racing

 *FGor wrote:*   

> what about the line: 
> 
> ```
> iptables -A INPUT -i wan -j DROP 
> ```
> ...

 

Yes, you will kill your WAN is you use your first line.

When you read a iptables file, considere that each time a connection or a packet arrive, it will read the iptables file from top to bottom sequencialy.

```

IPT=/sbin/iptables

IPTS="/sbin/iptables-save"

IPTR="/sbin/iptables-restore"

# Interface qui est dans votre réseau

WAN_IFACE="eth0"

# Interface Loopback

LOOP_IFACE="lo"

LOOP_IP="127.0.0.1"

$IPT -P INPUT ACCEPT

$IPT -P FORWARD ACCEPT

$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

# Les tables sont effacées.

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F

$IPT -X

$IPT -t nat -X

$IPT -t mangle -X

# Le comportement par défaut est de bloquer le trafic.

$IPT -P INPUT   DROP

$IPT -P OUTPUT  DROP

$IPT -P FORWARD DROP

# Si un packet est invalide, on le drop pour ne pas causer d'erreur

$IPT -A INPUT -i $WAN_IFACE -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A INPUT -i $WAN_IFACE -m state --state INVALID -j DROP

# Tout le trafic venant de l'interface Loopback est accepté.

$IPT -A INPUT  -p ALL -i $LOOP_IFACE -j ACCEPT

# On accepte le trafic en entrée si et seulement si il a été initié par notre ordinateur.

$IPT -A INPUT -i $WAN_IFACE -p ALL  -m state --state ESTABLISHED,RELATED -j ACCEPT

# On accepte seulement ce type de packet ICMP dans le LAN

$IPT -A INPUT -i $WAN_IFACE -p ICMP --icmp-type time-exceeded -j ACCEPT

# On drop les packets de type broadcast

$IPT -A INPUT -i $WAN_IFACE -m pkttype --pkt-type broadcast -j DROP

$IPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A OUTPUT -m state --state INVALID -j DROP

# On permet le trafic en sortie

$IPT -A OUTPUT -p ALL -s $LOOP_IP    -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LOOP_IFACE -j ACCEPT

$IPT -A OUTPUT -p ALL -o $WAN_IFACE -j ACCEPT

```

----------

## d2_racing

Make sure that you have this inside your kernel :

```

Network Support 

 --> Networking options 

     [*] Network packet filtering framework (Netfilter)  ---> 

        [*]   Advanced netfilter configuration (NEW)  

        Core Netfilter Configuration  --->   

             <M> Netfilter LOG over NFNETLINK interface

             <M> Netfilter connection tracking support         

             <M> Connection mark tracking support 

             [*] Connection tracking events  

             <M>   UDP-Lite protocol connection tracking support    

             <M>   FTP protocol support

             <M>   IRC protocol support

             <M>   Connection tracking netlink interface      

             <M> Netfilter Xtables support (required for ip_tables) 

             <M>   "CONNMARK" target support 

             <M>   "MARK" target support

             <M>   "connmark" connection mark match support

             <M>   "conntrack" connection tracking match support

             <M>   "iprange" address range match support

             <M>   "length" match support

             <M>   "limit" match support     

             <M>   "mark" match support

             <M>   "multiport" Multiple port match support               

             <M>   "pkttype" packet type match support 

             <M>   "recent" match support

             <M>   "state" match support     

             <M>   "string" match support

             <M>   "tcpmss" match support   

        IP: Netfilter Configuration  --->  

             <M> IPv4 connection tracking support (required for NAT)

             [*] proc/sysctl compatibility with old connection tracking (NEW)

             <M> IP tables support (required for filtering/masq/NAT)

                <M>   "addrtype" address type match support

                <M>   "ah" match support

                <M>   "ecn" match support

                <M>   "ttl" match support 

                <M>   Packet filtering

                <M>   REJECT target support 

                <M>   LOG target support 

                <M>   ULOG target support  

                <M>   Full NAT 

                <M>   MASQUERADE target support 

                <M>   NETMAP target support

                <M>   REDIRECT target support 

                <M>   Basic SNMP-ALG support

                <M>   Packet mangling 

                <M>   CLUSTERIP target support (EXPERIMENTAL) 

                <M>   ECN target support 

                <M>   "TTL" target support 

                <M>   raw table support (required for NOTRACK/TRACE) 

                <M>   ARP tables support                               

                <M>   ARP packet filtering 

                <M>   ARP payload mangling    

```

----------

## d2_racing

Finally, make sure that the iptables.sh(the firewall rules script) run once that way :

```

# cd /root

# chmod +x iptables.sh

# ./iptables.sh

# iptables -L -v

# iptables-save

# /etc/init.d/iptables save

# rc-update add iptables default

# /etc/init.d/iptables start

```

Now, each time that you reboot your box, your firewall will be running with the firewall rules that I posted.

----------

## Joseph_sys

 *d2_racing wrote:*   

> Feel free to ask any questions, I can help you to setup your iptables rules.
> 
> Also,  I need to know what you really want to do with your box.

 

Can you point me in the right direction please?

I'm trying to setup iptable + squid (squid is working OK - I tested it) but I have a problem redirecting internal traffic via squid.  I've tried the simplest configuration:

```
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128
```

But it is not working, squid is blocking outside access.  When I disable iptables and redirect firefox via local proxy 3128 it works fine, so it means something from iptables is not working.

I don't want to block incoming traffic, all I want to do is to restrict outgoing traffic using squid (allow only access to one or two domains)

----------

## d2_racing

Ok, post your new iptables script and I will look at it.

----------

## Joseph_sys

 *d2_racing wrote:*   

> Ok, post your new iptables script and I will look at it.

 

I'm almost there, this part is working: 

```
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
```

all was missing is "transparent" in squid.conf

hppt_port 3128 transparent

squid accept input and allow/disallow what I've input in there but localhost (127.0.0.1) is not working, all it works is: 127.0.0.1:631 but if I try to access localhost php: 127.0.0.1/phpmyadmin access denied by squid 

I've found this reference:

http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html

that to allow localhost in need:

   ipchains -A input  -j ACCEPT -p all -s localhost -d localhost -i lo

   ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo

but this is not correct, in order to enter the rules with iptables I had to do:

```
   iptables -A input  -j ACCEPT -p all -s localhost -d localhost -i lo

   iptables -A output -j ACCEPT -p all -s localhost -d localhost 
```

 but this still does not allow access into localhost; squid is not the problem as if I disable iptable and configure firefox to access local proxy 127.0.0.1: 3128

it all works.

Here are my current rules:

```
iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http owner UID match squid 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:3128 owner UID match squid 

REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 3128
```

```
iptables -n -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  127.0.0.1            127.0.0.1           

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  127.0.0.1            127.0.0.1 
```

How to enable localhost in iptables?  Thanks for looking into it.

----------

## d2_racing

Hi, I found this : http://www.linuxquestions.org/questions/linux-networking-3/debian-iptables-squid-redirect-port-80-to-port-8080-on-another-machine-474027/

Maybe you need to have this line too : $IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

----------

## Joseph_sys

 *d2_racing wrote:*   

> Hi, I found this : http://www.linuxquestions.org/questions/linux-networking-3/debian-iptables-squid-redirect-port-80-to-port-8080-on-another-machine-474027/
> 
> Maybe you need to have this line too : $IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

 

I've tried: *Quote:*   

> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

 

doesn't work.  I didn't expect this iptable to be such a pain.

I've tried as well in squid.conf

http_port 127.0.0.1:80 transparent 

doesn't help.

----------

## d2_racing

Hi, can you post this :

```

# iptables -L

```

----------

## Joseph_sys

 *d2_racing wrote:*   

> Hi, can you post this :
> 
> ```
> 
> # iptables -L
> ...

 

There is nothing there

```
iptables  -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
```

maybe I'm entering something in the wrong order :-/

----------

## cach0rr0

if it's of any use to you, this ( http://pastebin.com/m3d85108d )is mine for a single box with 1 interface, with the following open:

FTP (20/21)

SSH (22)

SMTP (25)

HTTP (80)

HTTPS (443

IMAPS (993)

SVN (3690)

IRC (6667,6697)

BitTorrent (39160-39300)

It should be fairly clear that down towards the bottom is where I've opened up things that are allowed. 

Am no iptables expert, but this works for me.

I run that to populate a base set of rules, then /etc/init.d/iptables save

...so that it persists on boot

----------

## d2_racing

Look, this is a pretty straitforward iptables :

```

#!/bin/bash

# Constantes

IPT=/sbin/iptables

IPTS="/sbin/iptables-save"

IPTR="/sbin/iptables-restore"

# Interface qui est dans votre réseau

WAN_IFACE="eth0"

# Interface Loopback

LOOP_IFACE="lo"

LOOP_IP="127.0.0.1"

$IPT -P INPUT ACCEPT

$IPT -P FORWARD ACCEPT

$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

# Les tables sont effacées.

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F

$IPT -X

$IPT -t nat -X

$IPT -t mangle -X

# Le comportement par défaut est de bloquer le trafic.

$IPT -P INPUT   DROP

$IPT -P OUTPUT  DROP

$IPT -P FORWARD DROP

$IPT -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A INPUT -m state --state INVALID -j DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i ! $LOOP_IFACE -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

$IPT -A INPUT -i $LOOP_IFACE -j ACCEPT

$IPT -A INPUT -p ICMP -m limit --limit 1/s -j ACCEPT 

$IPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A OUTPUT -m state --state INVALID -j DROP

$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -p tcp  -m multiport --dports 21,22,25,80,110,443,873,1024 -j ACCEPT

$IPT -A OUTPUT -p udp  -m multiport --dports 53 -j ACCEPT

$IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

$IPT -A OUTPUT -o ! $LOOP_IFACE -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

$IPT -A OUTPUT -o $LOOP_IFACE  -j ACCEPT

```

Since I don't run any server on my box, I set my ports only in the output statement and my $IPT -A INPUT -m state --state ESTABLISHED,RELATED will handle what I started from my box.

----------

## d2_racing

Try my script with this :

```

#!/bin/bash

# Constantes

IPT=/sbin/iptables

IPTS="/sbin/iptables-save"

IPTR="/sbin/iptables-restore"

# Interface qui est dans votre réseau

WAN_IFACE="eth0"

# Interface Loopback

LOOP_IFACE="lo"

LOOP_IP="127.0.0.1"

$IPT -P INPUT ACCEPT

$IPT -P FORWARD ACCEPT

$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

# Les tables sont effacées.

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F

$IPT -X

$IPT -t nat -X

$IPT -t mangle -X

# Le comportement par défaut est de bloquer le trafic.

$IPT -P INPUT   DROP

$IPT -P OUTPUT  DROP

$IPT -P FORWARD DROP

$IPT -t nat -A PREROUTING -p tcp --dport 80 --to-port 3128 -j REDIRECT  

$IPT -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A INPUT -m state --state INVALID -j DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i ! $LOOP_IFACE -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

$IPT -A INPUT -i $LOOP_IFACE -j ACCEPT

$IPT -A INPUT -p ICMP -m limit --limit 1/s -j ACCEPT

$IPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A OUTPUT -m state --state INVALID -j DROP

$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -p tcp  -m multiport --dports 21,22,25,80,110,443,873,1024 -j ACCEPT

$IPT -A OUTPUT -p udp  -m multiport --dports 53 -j ACCEPT

$IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

$IPT -A OUTPUT -o ! $LOOP_IFACE -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

$IPT -A OUTPUT -o $LOOP_IFACE  -j ACCEPT 

```

Save it and run this :

```

# cd /root

# chmod +x iptables.sh

# ./iptables.sh

# iptables -L -v

# iptables-save

# /etc/init.d/iptables save

# rc-update add iptables default

# /etc/init.d/iptables start

```

----------

## Joseph_sys

I've entered: 

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

this line it will not take it (don't know why) I have the same network 

iptables -A INPUT -i eth0 --src 192.168.1.0/24 -j ACCEPT

I've even tried exempt traffic on lo from being redirected:

iptables -A INPUT -i lo -p all -j ACCEPT

this iptable is the most crapy thing ever invented  :Sad: 

----------

## Hu

 *Joseph_sys wrote:*   

> this line it will not take it (don't know why) I have the same network 
> 
> iptables -A INPUT -i eth0 --src 192.168.1.0/24 -j ACCEPT
> 
> I've even tried exempt traffic on lo from being redirected:
> ...

 Please clarify "will not take it."  Does the command fail?  Does it run successfully, but produce an incorrect result?

iptables works great.  So far, all your problems seem to be because you are trying to manipulate TCP connections in a questionable manner, and Squid needs some extra guidance to get that right.  Is there any reason you cannot just block all port 80 traffic originating inside, configure Squid to be allowed, and require internal systems to configure Squid as an http proxy?  It would make your life much simpler.  You may end up going that way anyway, since you cannot use proxy authentication when using transparent interception.

If you want to exempt traffic on the loopback interface from being redirected, you need to ensure it does not reach your REDIRECT target.  Since REDIRECT is in the nat table, you need to put your exemption rule there as well.  As written, you put it in the filter table.  This is too late to have any effect on whether a connection has its source or destination addresses mangled.

----------

## Joseph_sys

 *d2_racing wrote:*   

> Try my script with this :
> 
> [code]
> 
> #!/bin/bash
> ...

 

Trying to run this script I get:

iptables v1.4.3.2: unknown option `--to-port'

Try `iptables -h' or 'iptables --help' for more information.

Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`).

Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`).

I've tried changing "--to-port" to "--to-ports" same thing.

----------

## Joseph_sys

[quote="Hu"] *Joseph_sys wrote:*   

> this line it will not take it (don't know why) I have the same network 
> 
> iptables -A INPUT -i eth0 --src 192.168.1.0/24 -j ACCEPT
> 
> ...
> ...

 

iptables -A INPUT -i eth0 --src 192.168.1.0/24 -j ACCEPT

gives me:

iptables v1.4... host/network 'addr:192.168.1.0' not found 

my lan IP is: 192.168.1.1 (tried it as well)

I just want to block outgoing traffic from this single machine, my firewall is simple Linksys WRT54G running whiterussian; I did not play with it much so I don't know what is capable of, beside it is in production so I don't have an easy access to it.

But the machine will have to have an access to one or two web-pages (http and hppts), so maybe I just abandon iptables and just use squid and configure the browser to use proxy: 127.0.0.1:3128 

I'll try playing as you suggest put the "lo" exemption in the filter table see what happens; just need to find out how to do it :-/

----------

## d2_racing

Hi, try this one instead :

```

# cd /root

# nano iptables.sh 

```

```

$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT   --to-port 3128 

```

So to do that, run this :

```

# /etc/init.d/iptables stop

# ./iptables.sh 

# iptables -L -v 

# iptables -t nat -L

# iptables-save 

# /etc/init.d/iptables save 

# /etc/init.d/iptables start 

```

----------

## Joseph_sys

 *d2_racing wrote:*   

> Hi, try this one instead :
> 
> ```
> 
> # cd /root
> ...

 

Maybe I'm doing something wrong; is this step necessary?

...

# iptables-save

...

I've only run in previous modifications:

# /etc/init.d/iptables save 

# /etc/init.d/iptables start

----------

## Joseph_sys

 *d2_racing wrote:*   

> Hi, try this one instead :
> 
> ```
> 
> $IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT   --to-port 3128 
> ...

 

When I try to start this script I get, the same thing:

```
Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`).

Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`).

```

----------

## d2_racing

These two are normal errors.

```

Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`). 

Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`). 

```

So post this :

```

# iptables -L

# iptables -t nat -L

```

----------

## Joseph_sys

 *d2_racing wrote:*   

> These two are normal errors.
> 
> So post this :
> 
> ```
> ...

 

Here is the output of:iptables -t nat -L  

```

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 3128 

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
```

iptables -L 

```
Chain INPUT (policy DROP)

target     prot opt source               destination         

LOG        all  --  anywhere             anywhere            state INVALID LOG level warning tcp-options ip-options prefix `DROP INVALID ' 

DROP       all  --  anywhere             anywhere            state INVALID 

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

LOG        all  --  anywhere             anywhere            LOG level warning tcp-options ip-options prefix `DROP ' 

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     icmp --  anywhere             anywhere            limit: avg 1/sec burst 5 

Chain FORWARD (policy DROP)

target     prot opt source               destination         

Chain OUTPUT (policy DROP)

target     prot opt source               destination         

LOG        all  --  anywhere             anywhere            state INVALID LOG level warning tcp-options ip-options prefix `DROP INVALID ' 

DROP       all  --  anywhere             anywhere            state INVALID 

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

ACCEPT     tcp  --  anywhere             anywhere            multiport dports ftp,ssh,smtp,http,pop3,https,rsync,1024 

ACCEPT     udp  --  anywhere             anywhere            multiport dports domain 

ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 

LOG        all  --  anywhere             anywhere            LOG level warning tcp-options ip-options prefix `DROP ' 

ACCEPT     all  --  anywhere             anywhere            

iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 3128 

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
```

iptables-save 

```
# Generated by iptables-save v1.4.3.2 on Thu Jan 21 11:27:04 2010

*nat

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 

COMMIT

# Completed on Thu Jan 21 11:27:04 2010

# Generated by iptables-save v1.4.3.2 on Thu Jan 21 11:27:04 2010

*mangle

:PREROUTING ACCEPT [11:524]

:INPUT ACCEPT [56228:12131903]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [10:520]

:POSTROUTING ACCEPT [57191:7046251]

COMMIT

# Completed on Thu Jan 21 11:27:04 2010

# Generated by iptables-save v1.4.3.2 on Thu Jan 21 11:27:04 2010

*filter

:INPUT DROP [2:56]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

-A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-tcp-options --log-ip-options 

-A INPUT -m state --state INVALID -j DROP 

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-tcp-options --log-ip-options 

-A INPUT -i lo -j ACCEPT 

-A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT 

-A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-tcp-options --log-ip-options 

-A OUTPUT -m state --state INVALID -j DROP 

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A OUTPUT -p tcp -m multiport --dports 21,22,25,80,110,443,873,1024 -j ACCEPT 

-A OUTPUT -p udp -m multiport --dports 53 -j ACCEPT 

-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 

-A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-tcp-options --log-ip-options 

-A OUTPUT -o lo -j ACCEPT 

COMMIT
```

The above does not forward to squid anything, so access to internet is open.

I've tried with my lines 

```
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128
```

 and this one (as HU suggested) 

```
iptables -t nat -A PREROUTING -i lo -j ACCEPT
```

 but it directs Localhost to squid.  Maybe it is harder to implement what I want to accomplish with with single interface eth0 in iptables ?!

iptables + squid are running on a single box: so I want:

INCOMING - access from internet is OPEN - I don't need or want to block anything; as I have an external firewall.

OUTBOUND - access to internet denied (except one or two domains) - so I think squid is perfectly suitable to it.

iptables - I only want to use it as a forwarder to squid proxy, so doesn't matter what browser user will use, everything will go via squid except access to localhost (127.0.0.1).

----------

## d2_racing

 *Joseph wrote:*   

>  iptables + squid are running on a single box: so I want:
> 
> INCOMING - access from internet is OPEN - I don't need or want to block anything; as I have an external firewall.
> 
> OUTBOUND - access to internet denied (except one or two domains) - so I think squid is perfectly suitable to it.
> ...

 

With my iptables and your Squid, you have already this.

 *Joseph wrote:*   

> 
> 
> iptables - I only want to use it as a forwarder to squid proxy, so doesn't matter what browser user will use, everything will go via squid except access to localhost (127.0.0.1).
> 
> 

 

I don't know how to do that actually.

----------

## d2_racing

Did you try that :

```

iptables -t nat -A OUTPUT -p tcp -m multiport --dports 21,22,25,80,110,443,873,1024 -j REDIRECT --to-port 3128

```

----------

## Joseph_sys

 *d2_racing wrote:*   

> Did you try that :
> 
> ```
> 
> iptables -t nat -A OUTPUT -p tcp -m multiport --dports 21,22,25,80,110,443,873,1024 -j REDIRECT --to-port 3128
> ...

 

Yes, I SOLVE it, THANK YOU for your help, there are two ways of doing it, see my port:

https://forums.gentoo.org/viewtopic-p-6142685.html#6142685

----------

## d2_racing

Youpi  :Razz: 

----------

