Login or Register to Ask a Question and Join Our Community


IP Networking

squid and iptables

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums IP Networking squid and iptables
# 1  
Old 07-12-2011
squid and iptables
Hello all

I have a little network as described below.

A Linux router/proxy with the External interface: 192.168.121.240
Internal interface: 10.0.0.2 and a DMZ interface: 10.1.0.2

On the DMZ i have a linux with ip: 10.1.0.10 and apache2, php5, mysql and samba installed.

On the internal interface i have the ip: 10.0.0.3, 10.0.0.4, 10.0.0.5, with3 windows 2003 servers, a Linux mailserver with the ip: 10.0.0.6 and a windows xp with the ip: 10.0.0.20

This network is connected to a other network that has a proxy server with the ip: 192.168.1.253

Now from the internal network i can go to google.com
But when i type in: //10.1.0.10/phpinfo.php it wont connect to the apache2 server on the dmz.
And when i type: //10.0.0.6/webmail/login it also wont go to the webpage even do its on the same network.

Now my question is did i do my iptables or squid wrong or both ?



i post the iptables and squid.conf below



Greets Davano

Iptables:

Code:
EXT_IFACE=eth0
DMZ_IFACE=eth1
DMZ_ADDR=10.1.0.0/24
INT_IFACE=eth2
INT_ADDR=10.0.0.0/24
WEB_SERVER=10.1.0.10
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
iptables -N int-dmz
iptables -N ext-dmz
iptables -N int-ext
iptables -N dmz-int
iptables -N dmz-ext
iptables -N ext-int
iptables -N icmp-acc
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.121.240
iptables -t nat -A PREROUTING -p tcp -d $WEB_SERVER --dport http -j DNAT --to $WEB_SERVER:80
iptables -t nat -A PREROUTING -p tcp -d $WEB_SERVER --dport https -j DNAT --to $WEB_SERVER:443
iptables -A ext-dmz -p tcp --dport http -d $WEB_SERVER -j ACCEPT
iptables -A FORWARD -s $INT_ADDR -o $DMZ_IFACE -j int-dmz
iptables -A FORWARD -s $INT_ADDR -o $EXT_IFACE -j int-ext
iptables -A FORWARD -s $DMZ_ADDR -o $EXT_IFACE -j dmz-ext
iptables -A FORWARD -s $DMZ_ADDR -o $INT_IFACE -j dmz-int
iptables -A FORWARD -o $DMZ_IFACE -j ext-dmz
iptables -A FORWARD -o $INT_IFACE -j ext-int
iptables -A FORWARD -j LOG --log-prefix "chain-jump"
iptables -A FORWARD -j DROP
iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A icmp-acc -j LOG --log-prefix "icmp-acc"
iptables -A icmp-acc -j DROP
iptables -A int-dmz -p udp --dport domain -j ACCEPT
iptables -A int-dmz -p tcp --dport domain -j ACCEPT
iptables -A int-dmz -p tcp --dport www -j ACCEPT
iptables -A int-dmz -p tcp --dport https -j ACCEPT
iptables -A int-dmz -p tcp --dport ssh -j ACCEPT
iptables -A int-dmz -p tcp --dport telnet -j ACCEPT
iptables -A int-dmz -p tcp --dport auth -j ACCEPT
iptables -A int-dmz -p tcp --dport ftp -j ACCEPT
iptables -A int-dmz -p icmp -j icmp-acc
iptables -A int-dmz -j LOG --log-prefix "int-dmz"
iptables -A int-dmz -j DROP
iptables -A ext-dmz -p udp --dport domain -j ACCEPT
iptables -A ext-dmz -p tcp --dport domain -j ACCEPT
iptables -A ext-dmz -p tcp --dport www -j ACCEPT
iptables -A ext-dmz -p tcp --dport https -j ACCEPT
iptables -A ext-dmz -p tcp --dport ssh -j ACCEPT
iptables -A ext-dmz -p icmp -j icmp-acc
iptables -A ext-dmz -j LOG --log-prefix "ext-dmz"
iptables -A ext-dmz -j DROP
iptables -A int-ext -j ACCEPT
iptables -A dmz-int -p udp --sport domain -j ACCEPT
iptables -A dmz-int -p tcp ! --syn --sport domain -j ACCEPT
iptables -A dmz-int -p tcp ! --syn --sport www -j ACCEPT
iptables -A dmz-int -p tcp ! --syn --sport ssh -j ACCEPT
iptables -A dmz-int -p icmp -j icmp-acc
iptables -A dmz-int -j LOG --log-prefix "dmz-int"
iptables -A dmz-int -j DROP
iptables -A dmz-ext -p udp --dport domain -j ACCEPT
iptables -A dmz-ext -p tcp --dport domain -j ACCEPT
iptables -A dmz-ext -p tcp --dport www -j ACCEPT
iptables -A dmz-ext -p tcp --dport https -j ACCEPT
iptables -A dmz-ext -p tcp --dport ssh -j ACCEPT
iptables -A dmz-ext -p tcp --dport ftp -j ACCEPT
iptables -A dmz-ext -p tcp --dport whois -j ACCEPT
iptables -A dmz-ext -p tcp --dport telnet -j ACCEPT
iptables -A dmz-ext -p tcp --dport ntp -j ACCEPT
iptables -A dmz-ext -p icmp -j icmp-acc
iptables -A dmz-ext -j LOG --log-prefix "dmz-ext"
iptables -A dmz-ext -j DROP
iptables -A ext-int -j DROP
iptables -N ext-if
iptables -N dmz-if
iptables -N int-if
iptables -A INPUT -i $EXT_IFACE -j ext-if
iptables -A INPUT -i $DMZ_IFACE -j dmz-if
iptables -A INPUT -i $INT_IFACE -j int-if
iptables -A ext-if -j ACCEPT
iptables -A dmz-if -j ACCEPT
iptables -A int-if -j ACCEPT
iptables -D INPUT 1
iptables -D OUTPUT 1
iptables -D FORWARD 1


This is the outbut from iptables -L

Code:
linux-od82:~ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ext-if all -- anywhere anywhere
dmz-if all -- anywhere anywhere
int-if all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
DROP all -- anywhere anywhere state RELATED,ESTABLISHED
int-dmz all -- 10.0.0.0/24 anywhere
int-ext all -- 10.0.0.0/24 anywhere
dmz-ext all -- 10.1.0.0/24 anywhere
dmz-int all -- 10.1.0.0/24 anywhere
ext-dmz all -- anywhere anywhere
ext-int all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning prefix `chain-jump'
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain dmz-ext (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:nicname
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere tcp dpt:ntp
icmp-acc icmp -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning prefix `dmz-ext'
DROP all -- anywhere anywhere

Chain dmz-if (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain dmz-int (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:domain flags:!FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp spt:http flags:!FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp spt:ssh flags:!FIN,SYN,RST,ACK/SYN
icmp-acc icmp -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning prefix `dmz-int'
DROP all -- anywhere anywhere

Chain ext-dmz (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 10.1.0.10 tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
icmp-acc icmp -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning prefix `ext-dmz'

Chain ext-if (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain ext-int (1 references)
target prot opt source destination

Chain forward_dmz (0 references)
target prot opt source destination

Chain forward_ext (0 references)
target prot opt source destination

Chain forward_int (0 references)
target prot opt source destination

Chain icmp-acc (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
LOG all -- anywhere anywhere LOG level warning prefix `icmp-acc'
DROP all -- anywhere anywhere

Chain input_dmz (0 references)
target prot opt source destination

Chain input_ext (0 references)
target prot opt source destination

Chain input_int (0 references)
target prot opt source destination

Chain int-dmz (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere tcp dpt:ident
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
icmp-acc icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning prefix `int-dmz'

Chain int-ext (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain int-if (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain reject_func (0 references)
target prot opt source destination
linux-od82:~ #



Squid.conf:

SQUID.CONF

Code:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8

acl localnet src 10.1.0.0/24 # RFC1918 possible internal network
acl localnet src 10.0.0.0/24 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access allow all

icp_access allow localnet
icp_access deny all

cache_peer 192.168.1.253 parent 8080 3130 proxy-only no-query
cache_peer 192.168.1.252 parent 8080 3130 proxy-only no-query
cache_peer 192.168.1.251 parent 8080 3130 proxy-only no-query

hierarchy_stoplist cgi-bin ?


refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

dns_nameservers 10.0.0.3 10.0.0.4

retry_on_error on

Last edited by pludi; 07-13-2011 at 08:13 AM..
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX and Linux Applications

Issues with squid

Hello, I have been trying to setup the following squid configuration http://veloso.org/SquidConfig/SquidConfig.html but every time I get to start squid I get the following error- 2012/05/28 10:31:12| WARNING: redirector #1 (FD 7) exited 2012/05/28 10:31:12| WARNING: redirector #2 (FD 9)... (2 Replies)
Discussion started by: jamie_123
2 Replies

2. IP Networking

Squid vs iptables = no Squid access.log?

Hello, I have a pretty useless satellite link at home (far from any civilization), so I wanted to set up caching in order to speed things up. My Squid 2.6 runs "3128 transparent" and is set up quite well on a separate machine. I also have my dd-wrt router to move all port 80 traffic through... (0 Replies)
Discussion started by: theWojtek
0 Replies

3. UNIX for Dummies Questions & Answers

Squid Configuration Help

I am trying to configure my squid to block access to certain websites facebook and twitter in this case. After defining my acls and the corresponding http_access lines users are still able to access these websites. I would also like to allow access to the proxy from 12:30 to 14:00 hrs only. I... (4 Replies)
Discussion started by: bryanmuts2000
4 Replies

4. Emergency UNIX and Linux Support

Squid acls

Hi guys, There is a line in squid default configuration: # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports acls are applied from top down, so CONNECT acl will deny access to all non SSL and SSL ports. I mean it never reaches the second access rule. (0 Replies)
Discussion started by: majid.merkava
0 Replies

5. Linux

caching in squid

hi, i installed fedora core 12, and i installed squid v 3, i need to know how can i cache everything. anyone can help me please (1 Reply)
Discussion started by: zazoo
1 Replies

6. UNIX for Dummies Questions & Answers

Squid Server

Hi everyone, I am very new to linux. Can anybody help me for my following doubts. 1) Why we put 8080 in squid server configuration ? 2) what is secure and insecure ftp ? 3) difference between ftp and http servers ? 4) can we configure all servers (installing packages with yum client)if... (3 Replies)
Discussion started by: kunalpatil09
3 Replies

7. Linux

Squid+DNS

Dear All I have Squid 2.6 running on RHEL4. Actually we have our companys portal and Sun communication suit for Mail Service. Squid uses live DNS for resolving sites. I want to resolve Intranet address without by passing the proxy in the browser. I mean every user have to by pass proxy in the... (7 Replies)
Discussion started by: surfer24
7 Replies

8. UNIX for Advanced & Expert Users

Squid Error

Hi all , i m getting below error in access.log while running skype application on linux. Proxy packages : Squid redirected through SquidGuard with LDAP auth. system : Ubuntu 6.06 Firewall : pf 227032649.603 0 system_IP_add TCP_DENIED/407 1802 GET... (0 Replies)
Discussion started by: jagnikam
0 Replies

9. UNIX for Dummies Questions & Answers

Squid dns

Hi Guys I have a squid proxy server. I have some settings in the no proxy for exclusions on 700 client machines using firefox. I need to add to this exclusion but instead of changing 700 machines settings, is there anyway you can allow the squid server to handle this. I have gone into the... (1 Reply)
Discussion started by: beardiebeardie
1 Replies

10. Linux

Problem with SQUID

hi all... i installed Red Hat 9...but i can use a proxy server with service squid... in my job i have a direct internet connection in the linux, but i configurate squid.conf...ports...ip's.... but still not working...with the windows machines.... in the linux server if i put the 127.0.0.0 port... (1 Reply)
Discussion started by: chanfle
1 Replies
Login or Register to Ask a Question