https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064864#M83103 Ah. In that case, you want to take a different approach. Ignore the previous stuff entirely, and do this:<BR /><BR />iptables -N MailAccess<BR />iptables -A MailAccess -j ACCEPT -p tcp --dport 25<BR />iptables -A MailAccess -j ACCEPT -p tcp --dport 110<BR />iptables -A MailAccess -j REJECT<BR />iptables -A FORWARD -j MailAccess -s 10.10.10.125<BR />iptables -A FORWARD -j MailAccess -s 10.10.10.137<BR /><BR />This will give them only access to those two ports, and whatever access squid gives them. Tue, 04 Sep 2007 07:38:29 GMT Stuart Browne 2007-09-04T07:38:29Z https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064861#M83100 Dear Gurus<BR /><BR />About Internet Gateway Server: <BR />Gateway IP: 10.0.0.110 (ip of the interface connected to the lan)<BR />Gateway Software: Squid 2.6, and iptables.<BR /><BR />how to block all trafic to the internet other then POP n SMTP for some clients ?.<BR />Infect I have a LinuxRouter+Squid, and for some users 10.0.0.137, and 10.0.0.125 I just want to allow them access their emails using outlook, and nothing else.<BR />I have denied http traffic using squid. But I wana know how can I also block non smtp/pop traffic using iptables <BR /><BR />iptables script I am using at this gateway server is attached.<BR /><BR />NOTE: the smtp, and pop server is on the internet Tue, 04 Sep 2007 04:09:38 GMT https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064861#M83100 Maaz 2007-09-04T04:09:38Z https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064862#M83101 Change the filter table's FORWARD policy to DROP (this will block *EVERYTHING* except Squid from other computers), then explicity allow those two computers access through the forward table to the appropriate ports, i.e.<BR /><BR />iptables -P FORWARD DROP<BR />iptables -N MailAccess<BR />iptables -A MailAccess -j ALLOW -p tcp --dport 110<BR />iptables -A MailAccess -j ALLOW -p tcp --dport 25<BR />iptables -A FORWARD -j MailAccess -s 10.10.10.125<BR />iptables -A FORWARD -j MailAccess -s 10.10.10.137<BR /> Tue, 04 Sep 2007 05:12:25 GMT https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064862#M83101 Stuart Browne 2007-09-04T05:12:25Z https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064863#M83102 Thanks Stuart, for prompt help.<BR /><BR />other then 125, and 137, all the 10.0.0.0/24 are allowed to access everything, i.e unlimited access to the internet for clients, other 10.0.0.125, and 10.0.0.137.<BR /><BR />regards Tue, 04 Sep 2007 06:46:50 GMT https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064863#M83102 Maaz 2007-09-04T06:46:50Z https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064864#M83103 Ah. In that case, you want to take a different approach. Ignore the previous stuff entirely, and do this:<BR /><BR />iptables -N MailAccess<BR />iptables -A MailAccess -j ACCEPT -p tcp --dport 25<BR />iptables -A MailAccess -j ACCEPT -p tcp --dport 110<BR />iptables -A MailAccess -j REJECT<BR />iptables -A FORWARD -j MailAccess -s 10.10.10.125<BR />iptables -A FORWARD -j MailAccess -s 10.10.10.137<BR /><BR />This will give them only access to those two ports, and whatever access squid gives them. Tue, 04 Sep 2007 07:38:29 GMT https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064864#M83103 Stuart Browne 2007-09-04T07:38:29Z https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064865#M83104 Shalom,<BR /><BR />I'd suggest an iptables configuration.<BR /><BR />A quick alternative to iptables code is firestarter.<BR /><BR /><A href="http://fs-security.com" target="_blank">http://fs-security.com</A><BR /><BR />It has a gui and is easily configurable.<BR /><BR />The product is open source, lacks a web interface and may be orphaned. The community is working on taking over the product.<BR /><BR />Go for strict inbound and outbound policy and then open up port 25 and port 110. Note this configuration will block http/https traffic.<BR /><BR />SEP Tue, 04 Sep 2007 08:09:31 GMT https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064865#M83104 Steven E. Protter 2007-09-04T08:09:31Z https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064866#M83105 Once again Thanks Stuart and SEP for help/support.<BR /><BR />Stuart I didnt tried the code(iptables), but as soon as I get the downtime, I'll try the code.. and obviously point will also be assign later ;) .<BR /><BR />Regards<BR />Maaz<BR /> Wed, 05 Sep 2007 07:11:38 GMT https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064866#M83105 Maaz 2007-09-05T07:11:38Z https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064867#M83106 Just wanted you to know,<BR /><BR />You can't play with Stuart's option and mine at the same time.<BR /><BR />firestarter uses iptables code. If you shut iptables, firestarter configuration goes down.<BR /><BR />SEP Wed, 05 Sep 2007 11:59:34 GMT https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064867#M83106 Steven E. Protter 2007-09-05T11:59:34Z https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064868#M83107 Thanks SEP.<BR /><BR />Stuart I have attached the modified script(that has your code), but from 10.0.0.125, and 10.0.0.137 I can still use Yahoo, and MSN messengers(and other apps that connects to internet).<BR /><BR />I hope i have cleared my question, i,e I just want 10.0.0.125, and 10.0.0.137 to access emails from Email-Servers(pop/smtp) on the internet.<BR />But all other machines(10.0.0.0/24) must have full access to the internet<BR /><BR />I have configured transparent proxy, and every client including 10.0.0.125, and 137, has the following TCP/IP configs<BR />IP: 10.0.0.x<BR />NETMASK: 255.255.255.0<BR />GATEWAY: 10.0.0.110<BR />DNS SERVER: 10.0.0.110<BR /><BR />Squid is listning on port 3128, and all the traffic directed to port 80 from clients are redirected to 3128 via iptables.<BR /><BR />No client has proxy server settings, i.e no TCP/IP(proxy server)configs are provided to the applications(web-browser, msn, and yahoo messengers etc)<BR /><BR />Regards Thu, 06 Sep 2007 04:53:06 GMT https://community.hpe.com/t5/operating-system-linux/how-to-block-all-trafic-other-then-pop-n-smtp/m-p/4064868#M83107 Maaz 2007-09-06T04:53:06Z