I have a setup where my incoming internet connection feeds into a squid proxy/caching server, and from there into my local wireless router.
On the wan side of the proxy server, I have eth0 with address 208.78.∗∗∗.∗∗∗
On the lan side of the proxy server, I have eth1 with address 192.168.2.1Traffic from my lan gets forwarded through the proxy transparently to the internet via the following rules. Note that traffic from the squid server itself is also routed through the proxy/cache, and this is on purpose:
# iptables forwarding iptables -A FORWARD -i eth1 -o eth0 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE # iptables for squid transparent proxy iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.2.1:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
How can I set up iptables to block any connections made to my server from the outside, while not blocking anything initiated from the inside? I have tried doing:
iptables -A INPUT -i eth0 -s 192.168.2.0/24 -j ACCEPT iptables -A INPUT -i eth0 -j REJECT
But this blocks everything. I have also tried reversing the order of those commands in case I got that part wrong, but that didn’t help. I guess I don’t fully understand everything about iptables.
Any ideas?
Answer
How can I set up iptables to block any connections made to my server from the outside,
while not blocking anything initiated from the inside?
Put this in order at INPUT chain
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state INVALID -j DROP
iptables -A INPUT -i eth0 -j REJECT
If you want to debug it, see your conntrack.
Attribution
Source : Link , Question Author : Matthew , Answer Author : Ta Coen