Squid iptables firewallSquid iptables firewall The following iptables firewall is suited for a dual-homed Squid proxy server. ssh (TCP port 22), squid (TCP port 3128), and ICMP ECHO requests are allowed on the internal (LAN) interface. Squid is configured to proxy http, https, and AOL Instant Messenger traffic. In addition, the server is running a name server and time server and therefore requires outgoing UDP port 123 (ntp) and TCP/UDP port 53 (dns). #!/bin/sh LAN="eth1" INTERNET="eth0" IPTABLES="/sbin/iptables" # Kernel monitoring support # More information: # /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt # http://www.linuxgazette.com/book/view/1645 # http://www.spirit.com/Network/net0300.html # Drop ICMP echo-request messages sent to broadcast or multicast addresses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Drop source routed packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN cookie protection from SYN floods echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Don't accept ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don't send ICMP redirect messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Enable source address spoofing protection echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible source addresses echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Flush all chains $IPTABLES --flush # Allow unlimited traffic on the loopback interface $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # Set default policies $IPTABLES --policy INPUT DROP $IPTABLES --policy OUTPUT DROP $IPTABLES --policy FORWARD DROP # Previously initiated and accepted exchanges bypass rule checking $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow incoming port 22 (ssh) connections on LAN interface $IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state \ --state NEW -j ACCEPT # Allow incoming port 3128 (squid) connections on LAN interface $IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state \ --state NEW -j ACCEPT # Allow ICMP ECHO REQUESTS on LAN interface $IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT # Allow DNS resolution $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state \ --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state \ --state NEW -j ACCEPT # Allow ntp synchronization $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 123 -m state \ --state NEW -j ACCEPT # Allow Squid to proxy http, https, and AIM traffic $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state \ --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state \ --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 5190 -m state \ --state NEW -j ACCEPT # Have these rules take effect when iptables is started /sbin/service iptables save Back to brandonhutchinson.com. Last modified: 03/10/2004