DIRK WROTE: Helo Folks, I still got a problem to set iptables for my Proxy Squid. All other doing well, but I think with Squid I have an understanding problem. My Gateway has three nic`s. IF_WAN="ppp0" DSL IF_EXT="eth0" is extern were ppp0 talks pppoe for dsl. IF_DMZ="eth1" is DMZ IF_LAN="eth2" is LAN My conception is squid runs as an lokal service on this Gateway. So I have to write a rule with --dport 3128 for an INPUT way to and an OUTPUT way back on Interface eth2, because Squid is running as an lokal service. Squid himself has to leave that Gateway to the Internet on Interface $IF_WAN with --dport 80 to --sport 80 and comes back as it goes. The meens to write a rule with OUTPUT and INPUT on $IF_WAN. But it doesn`t work. I also think about a FORWARD rule but is my conception so wrong?? Dirk ---------------------------------------------------------------------------------------------------------------------------------- Hi Dirk, hi list, I think you have to change the sport from 80 to 1024:65535 because, requests an a http-server doesn't com from the same port where they want to go to. The same the other way around. You should alo enable forward rules. Maybe it works this way. Maybe you should try to enter the rules manually via an simple script. If you use dynamic IP at you dsl-connection try this configuration: <---SNIP--> # SYNFLOODING echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Source Address Verification einschalten for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > f done # IP-Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -X iptables -F iptables -t nat -F iptables -t nat -X iptables -A INPUT -p tcp --dport 3128 --sport 1024:65535 -j ACCEPT iptables -A OUTPUT -p tcp --sport 3128 --dport 1024:65535 -j ACCEPT ########################################################################## # NAT (MASQUERADING) ########################################################################## # Special variation of SNAT (SOURCE NAT) iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE iptables -A FORWARD -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $EXT -m state --state NEW -j ACCEPT ########################################################################## # DNS ########################################################################## echo "DNS" # send requests to you DNS in the Internet iptables -A OUTPUT -o $EXT -p udp --sport 1024:65535 --dport 53 -j ACCEPT iptables -A INPUT -i $EXT -p udp --sport 53 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -o $EXT -p tcp --sport $UNPRI --dport 53 -j ACCEPT iptables -A INPUT -i $EXT -p tcp --sport 53 --dport $UNPRI -j ACCEPT # HTTP iptables -A OUTPUT -o $EXT -p udp --sport 1024:65535 --dport 80 -j ACCEPT iptables -A INPUT -i $EXT -p udp --sport 80 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -o $EXT -p tcp --sport $UNPRI --dport 80 -j ACCEPT iptables -A INPUT -i $EXT -p tcp --sport 80 --dport $UNPRI -j ACCEPT # look at your LOG, enable in /etc/syslog.conf the parameter "kern.* > /var/log/firewall" e.g. iptables -A INPUT -j LOG --log-prefix "input " iptables -A OUTPUT -j LOG --log-prefix "output " iptables -A FORWARD -j LOG --log-prefix "forward " <---SNIP--> this should work MfG. Stefan Walther stefan_walther@gehag-dsk.de dienst.: +4930/89786448 Funk: +49172/3943961
* Stefan_Walther@gehag-dsk.de wrote on Sat, Jun 23, 2001 at 19:18 +0200:
All other doing well, but I think with Squid I have an understanding problem. My conception is squid runs as an lokal service on this Gateway. So I have to write a rule with --dport 3128 for an INPUT way to and an OUTPUT way back on Interface eth2, because Squid is running as an lokal service.
Yep, a client usually talks user-port (some port >= 1024) to i.e. 3128. So you need 1024-65535 --> 3128 in and 3128 --> 1024-65535 out.
Squid himself has to leave that Gateway to the Internet on Interface $IF_WAN with --dport 80 to --sport 80 and comes back as it goes.
sport 80 is usally wrong. Try user ports for source, that means: dx:~ # cat /proc/sys/net/ipv4/ip_local_port_range 1024 4999 per default 1024-4999. Way back as input of course. Additionally you need DNS. Squid fires up some dns-servers which need access to port 53 UDP and TCP (yes, really both). You may configure squid to ask some local DNS server (if you like the proxy concept you may like that too, since it's similar). You can configure your named (Bind DNS) to use port 53 as _source_, so you need 53-->53 rules only. Additionally you can configure bind to use two or tree forwarders, then you need that connections only to that few hosts.
I also think about a FORWARD rule but is my conception so wrong??
If you trust in proxies then you may want to disable forwarding usally. And if you use forwarding, you may need masquerading, since pppoE usually has only one IP for the client. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Stefan_Walther@gehag-dsk.de schrieb:
Hi Dirk, hi list,
I think you have to change the sport from 80 to 1024:65535 because, requests an a http-server doesn't com from the same port where they want to go to. The same the other way around. You should alo enable forward rules. Maybe it works this way.
Maybe you should try to enter the rules manually via an simple script.
If you use dynamic IP at you dsl-connection try this configuration:
<---SNIP--> # SYNFLOODING echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Source Address Verification einschalten for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > f done
# IP-Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -X iptables -F iptables -t nat -F iptables -t nat -X
iptables -A INPUT -p tcp --dport 3128 --sport 1024:65535 -j ACCEPT iptables -A OUTPUT -p tcp --sport 3128 --dport 1024:65535 -j ACCEPT
########################################################################## # NAT (MASQUERADING) ########################################################################## # Special variation of SNAT (SOURCE NAT) iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE iptables -A FORWARD -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $EXT -m state --state NEW -j ACCEPT
########################################################################## # DNS ########################################################################## echo "DNS" # send requests to you DNS in the Internet iptables -A OUTPUT -o $EXT -p udp --sport 1024:65535 --dport 53 -j ACCEPT iptables -A INPUT -i $EXT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o $EXT -p tcp --sport $UNPRI --dport 53 -j ACCEPT iptables -A INPUT -i $EXT -p tcp --sport 53 --dport $UNPRI -j ACCEPT
# HTTP iptables -A OUTPUT -o $EXT -p udp --sport 1024:65535 --dport 80 -j ACCEPT iptables -A INPUT -i $EXT -p udp --sport 80 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -o $EXT -p tcp --sport $UNPRI --dport 80 -j ACCEPT iptables -A INPUT -i $EXT -p tcp --sport 80 --dport $UNPRI -j ACCEPT
# look at your LOG, enable in /etc/syslog.conf the parameter "kern.* > /var/log/firewall" e.g. iptables -A INPUT -j LOG --log-prefix "input " iptables -A OUTPUT -j LOG --log-prefix "output " iptables -A FORWARD -j LOG --log-prefix "forward " <---SNIP-->
this should work
MfG.
Stefan Walther stefan_walther@gehag-dsk.de dienst.: +4930/89786448 Funk: +49172/3943961
Helo Stefan,helo Steffen, helo folks! Well, referable that outgoing port from Squid, I be mistaken. His dport is just 80. But that is not my problem. Masquerading and DNS intern and extern pop,imap,http as mail GUI, all this things working o.k. Only that thing with squid on my collapsed Firewall is my evil. Here my rules exactly: IF_WAN="ppp0" DSL IF_EXT="eth0" is extern were ppp0 talks pppoe for dsl. IF_DMZ="eth1" is DMZ IF_LAN="eth2" is LAN servber01_eth0="IP-WAN" servber01_eth2="IP-LAN" ANY="0/0" #LAN goes way to Proxy $IPTABLES -A INPUT -i $IF_LAN -p tcp -m state --state NEW,ESTABLISED,RELATED -s $LAN --sport $p_high -d $servber01_eth2 --dport squid -j ACCEPT #Proxy goes back LAN $IPTABLES -A OUPUT -o $IF_LAN -p tcp -m state --state ESTABLISED,RELATED -s $servber01_eth2 --sport squid -d $LAN --dport $p_high -j ACCEPT #Proxy goes way to Internet $IPTABLES -A OUPUT -o $IF_WAN -p tcp -m state --state NEW,ESTABLISED,RELATED -s $servber01_eth0 --sport $p_high -d $ANY --dport http -j ACCEPT #Internet goes wayback to Proxy $IPTABLES -A INPUT -i $IF_WAN -p tcp -m state --state ESTABLISED,RELATED -s $ANY --sport http -d $servber01_eth0 --dport $p_high -j ACCEPT Maybe you can find that trouble. Squid is an lokal service on my collapsed Firewall. So I don`t need FORWARD rules. Transparent Proxy is not good for that one. Thanks a lot and best regards Dirk
participants (3)
-
Dirk Ertl
-
Stefan_Walther@gehag-dsk.de
-
Steffen Dettmer