As I see it, you have one box that is being used as a gateway which you want to ssh into; that box is connected directly to another running squid. The Squid box is the only box connected directly to the internet. Is that correct? Using this assumption:
( BTW, its late, just got back from the airport, and I’m getting drunk )
No way am I going into setting up ssh and squid here ... or why you are doing it this way.

I slapped together something that may be what you are looking for, but it is intended only as a starting point!

1) This is the start of the firewall for the ssh/gateway box, NOT a complete firewall

2) It does not take into consideration https, ICMP requests/replies, FTP requests, etc.

3) You MUST also have a properly configured firewall protecting the squid box.

4) this is a script file to be run after iptables has started. There is no need to restart iptables after running this script. ( you had in your original “/etc/init.d/iptables restart” ) why ?

5) guess you already know, but just in case, the file must be executable and have the proper permissions.


This is hard enough, but I get the feeling that English is a second language for you.
Go through the following carefully, know what it is doing before you try to use it. If not, go back to the iptables( Netfilter ) site, read through the documentation available.
There are also a few things thrown in here not related that may be worth investigating.

Good Luck, hope it puts you on the right track. And if I made a mistake, anybody, please correct me.

#!/bin/sh
#
echo Configuring IpTables firewall
#
# LOCALHOSTIP="127.0.0.1/32"
# INTERNET Interface="eth0"
# LAN Interface="eth1"
iptables="/sbin/iptables"
/sbin/depmod -a
# – below you would load any helpers needed that were built as modules and not into the kernel
# examples:
/sbin/modprobe ipt_LOG
echo ipt_LOG
/sbin/modprobe iptable_filter
echo iptable_filter
/sbin/modprobe ipt_state
echo ipt_state
# ------ [ Flush and set default policies ] ------------------ #
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -X
iptables -t nat -F
iptables -t nat -X
# ------Set default policies for packets going through this firewall box-------- #
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# set http requests to your gatway box to be sent to your squid box at port 3128
# change it to dport 3128 if you want to configure each client machine to use the proxy
# and not do it transparently
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to XXX.XXX.XXX.XXX:3128
# - oh, change XXX.XXX.XXX.XXX to the IP of your squid box

# -------- Bulk of INPUT table -------- #
# Allow ssh to the firewall box from the Internal network
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

# -------- Bulk of OUTPUT table -------- #
# you said nothing about what should go here — you will need to fill in
# this is output of the ssh server, NOT things forwarded to the squid box
# -- BLANK --

# -------- Bulk of FORWARD table -------- #
# – here is the tricky part – in built-in PREROUTING table you DNATed the port, but
# - you must now allow it in the forward table, whcih it will hit, to continue on its journey
iptables -A FORWARD -i eth1 -p tcp --dport 3128 -j ACCEPT
# - now allow connections to traverse the firewall
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# ---log all packets that hit the default policy ---- #
iptables -A INPUT -j LOG --log-level info --log-prefix "input_default_drop: "
iptables -A OUTPUT -j LOG --log-level info --log-prefix "output_default_drop: "
iptables -A FORWARD -j LOG --log-level info --log-prefix "forward_default_drop: "
# ---------------------- Activate the forwarding----------------- #
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo tcp_syncookies
echo Firewall loaded