Results 1 to 4 of 4

Thread: IPTABLES firewalling (and transparent proxy)

  1. #1

    Question IPTABLES firewalling (and transparent proxy)

    Hi guys, i'm working on a firewall with a transparent proxy (tinyproxy) and a content filter (dansuardian).

    That's my network scheme:
    Subnet <---> [Firewall] <--(point2point)--> CISCO Router (locked by ISP)

    Now i have to write down some iptables roules to make everything work. Unfortunatly i have to be shure that my code is errorfree as i'm on a server of a public association and i cannot stop any service for more then a bunch of seconds.

    So here's the code:
    #This is the content of a sh executable loaded on boot 
    iptables -F  
    iptables -X  
    iptables -P INPUT DROP 
    iptables -P OUTPUT DROP 
    iptables -P FORWARD DROP  
    # Allow lan traffic to be accepted 
    iptables -A INPUT -s -i $IF_LAN -j ACCEPT  
    # Allow 80, 443, 53 destinated traffic to be forwarded 
    iptables -A FORWARD -s -i $IF_LAN -o $IF_EXT  \
    -j ACCEPT -p tcp -m multiport --dports 80,443 --sport 1024:65535                 
    iptables -A FORWARD -p udp -i $IF_LAN -o $IF_EXT --dport 53 --sport 1024:65535 -j ACCEPT 
    iptables -A FORWARD -p udp -i $IF_EXT -o $IF_LAN --sport 53 --dport 1024:65535 -j ACCEPT 
    # Allow response from firewall to go back 
    iptables -A INPUT -i $IF_LAN -m state -state ESTABLISHED,RELATED -j ACCEPT 
    # I wander if MASQ is needed and i don't know why this line is here 
    iptables -t nat -A POSTROUTING -o $IF_LAN -j MASQUERADE 
    # Allow answers to the lan 
    iptables -A OUTPUT -d -o $IF_LAN -m state -state ESTABLISHED,RELATED -j ACCEPT 
    # Allow  connection to the world from the firewall itself 
    iptables -A OUTPUT -o $IF_EXT -j ACCEPT 
    # Open SSH port for administration 
    iptables -A INPUT -i $IF_LAN -p tcp -dport 22 -j ACCEPT 
    iptables -A INPUT -i $IF_EXT -p tcp -dport 22 -j ACCEPT 
    # Allow tinyproxy to communicate with www as it runs as  nobody 
    iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT 
    # Redirecting everything outgoing to 80, to the content filter / transparent proxy 
    iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports $PROXY_PORT
    I have some questions on what I found around the web (i'm too noob on iptables):
    What means masquerading this way? (does output on LAN needs masq???)
    Using a proxy in this transparent way for 80 traffic, will avoid using masquerading for all kind of traffic or i need to masquerade the subnet in postruting?

    So anybody who wants to help, please correct this piece of bad code.
    Thankyou all!

  2. #2
    A couple suggestions:
    1. Masquerading is required to activate NAT for all the FORWARD rules.
    2. The firewall will automatically use the IP address of its external interface for OUTPUT.
    3. IP addresses assigned to your devices need to be unique and on separate networks for each LAN segment. You have assigned twice. The point-to-point segment and the LAN are also asigned addresses from the same network block ( You will need to change the subnet and ip address assignments of one segment.
    4. It is also good to have two statements at the end of the FORWARD, INPUT and OUTPUT chains, one with a LOG (first) and the other with DROP (last). That way you can log all dropped packets in syslog.
    Can you set up a lab to test beforehand? There will be a lot of things to test and this thread may not be able to provide answers in time.

  3. #3
    There was a typo in my configuration, the internal interface of firewall was and not so at least the address is uniqe.

    Anyway i can't setup any kind of lab to test those things, does anybody know a software to simulate this?! Perheaps a network simulator or something that allow simulating network structures and iptables?

  4. #4
    Join Date
    Nov 2008
    Live in Fayetteville, PA and work in Washington, DC.
    How will the subnet talk to the interface?

    You may want to change the firewall interface to 10.1 or change the subnet or something.....

    If you change the subnet things should talk.

    /math follows yeilds
    => 1100 0000 1010 1000 0000 1010 0000 0000 IP Address
    => 1111 1111 1111 1111 1111 1111 0000 0000 IP Net Mask or /24
    => 1100 0000 1010 1000 0000 0001 0000 0001 IP Address

    As you can see from the math they are not on the same IP subnet and so can't talk to each other, OF course I am assuming a normal netmask from the CIDR notation.

Similar Threads

  1. How to forward local HTTP requests to remote Proxy with IPTables ?
    By asdamha in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 05-12-2011, 11:51 AM
  2. Transparent Proxy with HTTPS
    By zAm in forum Linux - General Topics
    Replies: 1
    Last Post: 12-16-2008, 03:44 PM
  3. Squid Transparent proxy
    By manjusa in forum Linux - Software, Applications & Programming
    Replies: 4
    Last Post: 10-21-2008, 06:23 AM
  4. Squid, Proxy, Iptables, and CHIKKA
    By 1stlinuxuser in forum Linux - General Topics
    Replies: 2
    Last Post: 11-12-2005, 03:50 AM
  5. Transparent xterm??
    By in forum General Chat
    Replies: 4
    Last Post: 05-26-2004, 02:23 AM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts