So, yes I'm very new to IPtables (and Squid). I'm moving a proxy from a Windows based installation to a CentOS-based one. My configuration is the following:
-------------
//|Squid proxy|
// -------------
-------- ---------------- ---------- -------------
|Modem |--|Router/Gateway|--| Switch |--| HTTP/FTP server |
-------- ---------------- ---------- -------------
\ ----------
\ | User 1 |
----------
:
:
The Squid proxy has two NICs, eth0 (LAN) and eth1 (WAN/internet). I want to just use Squid in the old-fashioned way, i.e. not as "transparent" proxy, and I'd like it to do reverse proxying also for the FTP and HTTP server - these should be reachable from the internet.
Squid is listening on the default port 3128 and I would like to define the IPtables correctly so that routing is going to be correct. I guess the easiest way to route all trafic is by IPtables. I've looked into this a lot, and found the reply by dgabad: Squid+iptables: how do i allow https to pass-through and bypassing Squid?
In short, it's driving me nuts that I'm much in doubt about what rules I should set, but I added the following rules:
iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i intern -p tcp --dport 3128
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o extern -p tcp --dport 80
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i extern -p tcp --sport 80
iptables -A OUTPUT -j ACCEPT -m --state ESTABLISHED,RELATED -o intern -p tcp --sport 80
(intern=eth0, extern=eth1)
My interpretation is that the first rule forwards everything TCP from eth0 to port 3128, the second one forwards anything outgoing to eth1 at port 80. The third rule opens for incoming port 80 trafic on eth1.
My questions are: - What exactly is rule 4 for? - Am I missing something in order to accomplish what I want? I suppose pre-routing isn't necessary with non-transparent proxies. Postrouting?
Any help in accomplishing this is much appreciated.
