how to configure iptables to allow access to specific domain through squid proxy on port 3128?

Question

What is wrong with my rules? I have installed squid on my server and i want just some specific domains to be reach able through squid but iptables completely blocked me

I have found this : iptables rules to allow HTTP traffic to one domain only , And I tried to apply and adjust it with my Rules but i was not successful.

here is my Rules :

iptables -F
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5801  -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901  -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 6001  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 777 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 321 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 953 -j ACCEPT
iptables -A OUTPUT -p tcp -d domain1.com --dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp -d domain2.com --dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp -d sub1.domain2.com --dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp -d sub2.domain2.com --dport 3128 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables-save > /etc/sysconfig/iptables
service iptables restart

Answer 1

iptables doesn't work like that. It's a layer-3 subsystem (and to some extent layer-2) and doesn't know about things like domain names in any meaningful way. You can block access to an IP address, and if it so happens that the hostnames domain[12].com and sub[12].domain2.com resolve to IP addresses which themselves host no services for other domains, you can block them by IP address.

If you want to block access by squid to certain URLs, you need to do that inside the squid configuration. I'm no squid expert, but it looks as if you might do that with something like:

acl          aclname   dstdomain   "/etc/squid/allow/safe-sites"  # file must exist
http_access  allow     aclname
http_access  deny      all

with /etc/squid/allow/safe-sites containing eg

domain1.com
domain2.com
sub1.domain2.com
sub2.domain2.com

(thanks to this blog for some crib notes).

Answer 2

As mentioned by @MadHatter that iptables rules are not used like that and for squid you have to Allow some IP’s to allow access to some specific sites. Please follow this steps to do that :

Add this Lines to your Squid.conf File.

acl allow_ip src “/etc/squid/allow_ip”

acl allow_ip_site url_regex “/etc/squid/block_ip_allow”

http_access allow allow_ip allow_ip_site

OR For reference:

https://stackoverflow.com/questions/10599122/restrict-squid-access-to-only-one-site

For few website you can define url and ip in squid.conf directly,but the approach of madhatter told is best.