# Squid and iptables interaction

## sirlark

Hi all,

I'm running a linux server in a small office that offers a few simple services, namely an web based intranet database app, samba based network folders for basic backup/collaboration, and it acts as the office gateway machine. I have been using iptables and NAT, but recently someone, either in the office or otherwise with access to the office has been downloading extreme amounts of data. Unfortunately uncapped ADSL services in my country are only just becoming available and still extremely expensive, so obviously we want to prevent this from happening at all, and find out who was downloading so much in the first place.

I installed squid as a normal (not transparent) proxy server, to a) cache and hopefully minimize usage, and b) log usage. Squid works perfectly. But the iptables NAT was still running, meaning anyone could disable their proxy settings and still do whatever the hell they wanted. When I disabled it, email stopped working (obviously). Various attempts at using NAT selectively for ports resulted in many hours of frustration and not much else.

What I'm trying to do is this

 - have squid proxy and cache whatever it can (http/ftp/https/sftp)

 - use iptables to allow smtp/pop3/imap and secure versions to pass through the firewall if initiated internally (and presumably DNS)

 - leave all ports open locally (i.e. allow samba connections, mysql, etc connection to the gateway machine from the local subnet only)

Any hep appreciated,

Thanks

----------

## DawgG

i think when you log everything you should tell ppl about that, first (here, that's the law). you have to make proxy-usage the only way of accessing the web, just masquerading and allowing anything is kind of careless.

 *Quote:*   

> have squid proxy and cache whatever it can (http/ftp/https/sftp) 

 

just give squid as much disk and mem as the server can spare. if there should really be a need for it there's some (non-standard-compliant) hacks that keep objects in the cache longer than they were supposed to. the s-protocols (eg https) cannot be cached since there is an encrypted connection established between the client-browser and the origin-server using http-connect.

you might want to limit these ports (eg 443) and/or protocols because some apps can use the proxy for (unintended) web-access with http-connect (that's how i use my im-client at work, it even supports proxy-auth  :wink: skype can also be used this way)

(this is configured with the Safe_Ports acl in squid.conf)

with squid you can almost log and regulate everything, i suggest as a first step you limit the ips of the computers allowed http_access and the times that can be done (so noone downloads things overnight), then you could use proxyauth and later even limit traffic/bandwidth with it.

 *Quote:*   

> use iptables to allow smtp/pop3/imap and secure versions to pass through the firewall if initiated internally (and presumably DNS)

 

with iptables, only allow the protocols you really need, drop/reject/log anything else; only allow traffic from the inside with tightly controlled groups (eg, not the whole internal subnet, but setup group(s) for the allowed ips. you could run a small dnsproxy like dnsmasq to cahe dns-queries locally.

only allow web-access thru squid.

 *Quote:*   

> leave all ports open locally (i.e. allow samba connections, mysql, etc connection to the gateway machine from the local subnet only) 

 

iptables will do that for you, you could use the input- or output-interface rules. don't forget to let the default/last rule drop everything.

GOOD LUCK!

----------

## Hu

Sirlark, are you asking if your goal is possible or are you asking for help achieving it?  If the latter, which parts are incomplete?  What you ask sounds like it should be achievable.  DawgG has given good remarks on the general design.  If this is insufficient, please clarify about what is broken, and show us the non-working configuration.

Loosely speaking, you will want to have the INPUT and OUTPUT chains permit all traffic.  Use the FORWARD chain to permit traffic on the non-proxy ports, and drop all other TCP/UDP traffic.

----------

## sirlark

Hu,

I'm sure it's possible  :Smile:  I've got half way there and agree (and to a great extent presupposed) DawgG advice. What I want is a working configuration...

I'll only get back to the office on Friday, at which point I'll post what I've got, and what didn't work...

Thanks both of you

----------

## chantha_21

Hi

I used this command iptables -t nat -I PREROUTING -i eth0 -s ! Squid-IP -p tcp -j REDIRECT --to-port 80. I didn't understand when i using this command the download rate around 20K but when i didn't use it the download rate aroute 80K.

Can anyone help me about this problem.

Thank for your valued time.

Chantha

----------

