A Linux router/proxy with the External interface: 192.168.121.240
Internal interface: 10.0.0.2 and a DMZ interface: 10.1.0.2
On the DMZ i have a linux with ip: 10.1.0.10 and apache2, php5, mysql and samba installed.
On the internal interface i have the ip: 10.0.0.3, 10.0.0.4, 10.0.0.5, with3 windows 2003 servers, a Linux mailserver with the ip: 10.0.0.6 and a windows xp with the ip: 10.0.0.20
This network is connected to a other network that has a proxy server with the ip: 192.168.1.253
Now from the internal network i can go to google.com
But when i type in: //10.1.0.10/phpinfo.php it wont connect to the apache2 server on the dmz.
And when i type: //10.0.0.6/webmail/login it also wont go to the webpage even do its on the same network.
Now my question is did i do my iptables or squid wrong or both ?
i post the iptables and squid.conf below
Greets Davano
Iptables:
Code:
EXT_IFACE=eth0
DMZ_IFACE=eth1
DMZ_ADDR=10.1.0.0/24
INT_IFACE=eth2
INT_ADDR=10.0.0.0/24
WEB_SERVER=10.1.0.10
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
iptables -N int-dmz
iptables -N ext-dmz
iptables -N int-ext
iptables -N dmz-int
iptables -N dmz-ext
iptables -N ext-int
iptables -N icmp-acc
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.121.240
iptables -t nat -A PREROUTING -p tcp -d $WEB_SERVER --dport http -j DNAT --to $WEB_SERVER:80
iptables -t nat -A PREROUTING -p tcp -d $WEB_SERVER --dport https -j DNAT --to $WEB_SERVER:443
iptables -A ext-dmz -p tcp --dport http -d $WEB_SERVER -j ACCEPT
iptables -A FORWARD -s $INT_ADDR -o $DMZ_IFACE -j int-dmz
iptables -A FORWARD -s $INT_ADDR -o $EXT_IFACE -j int-ext
iptables -A FORWARD -s $DMZ_ADDR -o $EXT_IFACE -j dmz-ext
iptables -A FORWARD -s $DMZ_ADDR -o $INT_IFACE -j dmz-int
iptables -A FORWARD -o $DMZ_IFACE -j ext-dmz
iptables -A FORWARD -o $INT_IFACE -j ext-int
iptables -A FORWARD -j LOG --log-prefix "chain-jump"
iptables -A FORWARD -j DROP
iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A icmp-acc -j LOG --log-prefix "icmp-acc"
iptables -A icmp-acc -j DROP
iptables -A int-dmz -p udp --dport domain -j ACCEPT
iptables -A int-dmz -p tcp --dport domain -j ACCEPT
iptables -A int-dmz -p tcp --dport www -j ACCEPT
iptables -A int-dmz -p tcp --dport https -j ACCEPT
iptables -A int-dmz -p tcp --dport ssh -j ACCEPT
iptables -A int-dmz -p tcp --dport telnet -j ACCEPT
iptables -A int-dmz -p tcp --dport auth -j ACCEPT
iptables -A int-dmz -p tcp --dport ftp -j ACCEPT
iptables -A int-dmz -p icmp -j icmp-acc
iptables -A int-dmz -j LOG --log-prefix "int-dmz"
iptables -A int-dmz -j DROP
iptables -A ext-dmz -p udp --dport domain -j ACCEPT
iptables -A ext-dmz -p tcp --dport domain -j ACCEPT
iptables -A ext-dmz -p tcp --dport www -j ACCEPT
iptables -A ext-dmz -p tcp --dport https -j ACCEPT
iptables -A ext-dmz -p tcp --dport ssh -j ACCEPT
iptables -A ext-dmz -p icmp -j icmp-acc
iptables -A ext-dmz -j LOG --log-prefix "ext-dmz"
iptables -A ext-dmz -j DROP
iptables -A int-ext -j ACCEPT
iptables -A dmz-int -p udp --sport domain -j ACCEPT
iptables -A dmz-int -p tcp ! --syn --sport domain -j ACCEPT
iptables -A dmz-int -p tcp ! --syn --sport www -j ACCEPT
iptables -A dmz-int -p tcp ! --syn --sport ssh -j ACCEPT
iptables -A dmz-int -p icmp -j icmp-acc
iptables -A dmz-int -j LOG --log-prefix "dmz-int"
iptables -A dmz-int -j DROP
iptables -A dmz-ext -p udp --dport domain -j ACCEPT
iptables -A dmz-ext -p tcp --dport domain -j ACCEPT
iptables -A dmz-ext -p tcp --dport www -j ACCEPT
iptables -A dmz-ext -p tcp --dport https -j ACCEPT
iptables -A dmz-ext -p tcp --dport ssh -j ACCEPT
iptables -A dmz-ext -p tcp --dport ftp -j ACCEPT
iptables -A dmz-ext -p tcp --dport whois -j ACCEPT
iptables -A dmz-ext -p tcp --dport telnet -j ACCEPT
iptables -A dmz-ext -p tcp --dport ntp -j ACCEPT
iptables -A dmz-ext -p icmp -j icmp-acc
iptables -A dmz-ext -j LOG --log-prefix "dmz-ext"
iptables -A dmz-ext -j DROP
iptables -A ext-int -j DROP
iptables -N ext-if
iptables -N dmz-if
iptables -N int-if
iptables -A INPUT -i $EXT_IFACE -j ext-if
iptables -A INPUT -i $DMZ_IFACE -j dmz-if
iptables -A INPUT -i $INT_IFACE -j int-if
iptables -A ext-if -j ACCEPT
iptables -A dmz-if -j ACCEPT
iptables -A int-if -j ACCEPT
iptables -D INPUT 1
iptables -D OUTPUT 1
iptables -D FORWARD 1
Hello,
I have been trying to setup the following squid configuration http://veloso.org/SquidConfig/SquidConfig.html
but every time I get to start squid I get the following error-
2012/05/28 10:31:12| WARNING: redirector #1 (FD 7) exited
2012/05/28 10:31:12| WARNING: redirector #2 (FD 9)... (2 Replies)
Hello,
I have a pretty useless satellite link at home (far from any civilization), so I wanted to set up caching in order to speed things up. My Squid 2.6 runs "3128 transparent" and is set up quite well on a separate machine.
I also have my dd-wrt router to move all port 80 traffic through... (0 Replies)
I am trying to configure my squid to block access to certain websites facebook and twitter in this case.
After defining my acls and the corresponding http_access lines users are still able to access these websites.
I would also like to allow access to the proxy from 12:30 to 14:00 hrs only. I... (4 Replies)
Hi guys,
There is a line in squid default configuration:
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
acls are applied from top down, so CONNECT acl will deny access to all non SSL and SSL ports. I mean it never reaches the second access rule. (0 Replies)
Hi everyone,
I am very new to linux. Can anybody help me for my following doubts.
1) Why we put 8080 in squid server configuration ?
2) what is secure and insecure ftp ?
3) difference between ftp and http servers ?
4) can we configure all servers (installing packages with yum client)if... (3 Replies)
Dear All
I have Squid 2.6 running on RHEL4. Actually we have our companys portal and Sun communication suit for Mail Service. Squid uses live DNS for resolving sites. I want to resolve Intranet address without by passing the proxy in the browser. I mean every user have to by pass proxy in the... (7 Replies)
Hi all ,
i m getting below error in access.log while running skype application on linux.
Proxy packages : Squid redirected through SquidGuard with LDAP auth.
system : Ubuntu 6.06
Firewall : pf
227032649.603 0 system_IP_add TCP_DENIED/407 1802 GET... (0 Replies)
Hi Guys
I have a squid proxy server.
I have some settings in the no proxy for exclusions on 700 client machines using firefox. I need to add to this exclusion but instead of changing 700 machines settings, is there anyway you can allow the squid server to handle this. I have gone into the... (1 Reply)
hi all...
i installed Red Hat 9...but i can use a proxy server with service squid...
in my job i have a direct internet connection in the linux, but i configurate squid.conf...ports...ip's....
but still not working...with the windows machines....
in the linux server if i put the 127.0.0.0 port... (1 Reply)