DIRK WROTE: Helo Stefan,helo Steffen, helo folks! Well, referable that outgoing port from Squid, I be mistaken. His dport is just 80. But that is not my problem. Masquerading and DNS intern and extern pop,imap,http as mail GUI, all this things working o.k. Only that thing with squid on my collapsed Firewall is my evil. Here my rules exactly: IF_WAN="ppp0" DSL IF_EXT="eth0" is extern were ppp0 talks pppoe for dsl. IF_DMZ="eth1" is DMZ IF_LAN="eth2" is LAN servber01_eth0="IP-WAN" servber01_eth2="IP-LAN" ANY="0/0" #LAN goes way to Proxy $IPTABLES -A INPUT -i $IF_LAN -p tcp -m state --state NEW,ESTABLISED,RELATED -s $LAN --sport $p_high -d $servber01_eth2 --dport squid -j ACCEPT #Proxy goes back LAN $IPTABLES -A OUPUT -o $IF_LAN -p tcp -m state --state ESTABLISED,RELATED -s $servber01_eth2 --sport squid -d $LAN --dport $p_high -j ACCEPT #Proxy goes way to Internet $IPTABLES -A OUPUT -o $IF_WAN -p tcp -m state --state NEW,ESTABLISED,RELATED -s $servber01_eth0 --sport $p_high -d $ANY --dport http -j ACCEPT #Internet goes wayback to Proxy $IPTABLES -A INPUT -i $IF_WAN -p tcp -m state --state ESTABLISED,RELATED -s $ANY --sport http -d $servber01_eth0 --dport $p_high -j ACCEPT Maybe you can find that trouble. Squid is an lokal service on my collapsed Firewall. So I don`t need FORWARD rules. Transparent Proxy is not good for that one. Thanks a lot and best regards Dirk Hi Dirk, hi folks, as I set up a firewall, I read the iptables-howtos and I think the states NEW, RELATED and ESTABLISHED is more effectable if you use some NAT. I think you need special INPUT and OUTPUT rules at your firewall. We had the same problem as we used bindutil for nameserverquestions at the firewall. We tried to use only states but this doesn't work. At this point I think you have to use simple INPUT and OUTPUT rules. MfG. Stefan Walther stefan_walther@gehag-dsk.de dienst.: +4930/89786448 Funk: +49172/3943961
Stefan_Walther@gehag-dsk.de schrieb:
Hi Dirk, hi folks,
as I set up a firewall, I read the iptables-howtos and I think the states NEW, RELATED and ESTABLISHED is more effectable if you use some NAT. I think you need special INPUT and OUTPUT rules at your firewall. We had the same problem as we used bindutil for nameserverquestions at the firewall. We tried to use only states but this doesn't work. At this point I think you have to use simple INPUT and OUTPUT rules.
MfG.
Stefan Walther stefan_walther@gehag-dsk.de dienst.: +4930/89786448 Funk: +49172/3943961
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Helo Stefan, helo folks, I tried that one but it`s the same thing. Realy curious is, when the firewall script starts I get an error message with reference to "Bad argument squid" even I had declared in /etc/services. The same one, when I use the port nummer."Bad argument 3128" Any idea??? Thanks and regards Dirk
participants (2)
-
Dirk Ertl
-
Stefan_Walther@gehag-dsk.de