* Linux as router (Gateway Server)
@ 2005-01-19 14:37 Navneet
[not found] ` <1106851960.14748.6.camel@localhost.localdomain>
0 siblings, 1 reply; 7+ messages in thread
From: Navneet @ 2005-01-19 14:37 UTC (permalink / raw)
To: netfilter
Dear all,
I have a question,
"I only have a single network connection, but I would like all my computers
to have Internet access.
How is this possible?'
1.What i have?
My network configuration is as follows:-
eth1
(172.21.0.133/28)
|
|
AGNI {RedHat 9[Squid Proxy,Gateway ,firewall & FTP] }
|
|
|
(192.168.0.0/16)
eth0
|
---- SWITCH----------
|
|
|
LAN
where:-
eth0-Intel Corp. 82557/8/9 [Ethernet Pro 100]
eth1-Broadcom Corporation NetXtreme BCM5702 Gigabit Ethernet
2.What i have done:-
a)Enabled IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
& added above line in /etc/rc.d/rc.local
b)Firewall rules as follows:-
# vi testWall
1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 :OUTPUT DROP [0:0]
5
6 # allow local loopback connections
7 -A INPUT -i lo -j ACCEPT
#allow echo-requests (pinging)
8 -A INPUT -s 192.168.0.0/16 -d 0/0 -p icmp --icmp-type echo-request -j
ACCEPT
9 # drop INVALID connections
10 -A INPUT -m state --state INVALID -j DROP
11 -A OUTPUT -m state --state INVALID -j DROP
12 -A FORWARD -m state --state INVALID -j DROP
13
14 # allow all established and related
15 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
16 -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
17 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
18
19 # allow connections to my ISP's DNS servers
20 -A OUTPUT -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -o eth0 -j
ACCEPT
21 -A OUTPUT -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -o eth0 -j
ACCEPT
22 -A FORWARD -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -i eth0 -o
eth0 -j ACCEPT
23 -A FORWARD -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -i eth0 -o
eth0 -j ACCEPT
24
25 # allow outgoing connections to web servers
26 -A OUTPUT -d 0/0 -m state --state NEW -p tcp -m multiport --dport
http,https -o eth0 -j ACCEPT
27 -A FORWARD -d 0/0 -m state --state NEW -p tcp -m multiport --dport
http,https -o eth0 \
-i eth0 -j ACCEPT
28
29 # allow outgoing mail connections to my ISP's SMTP and POP3 server only
30 -A OUTPUT -d mail.my-isp.com -m state --state NEW -p tcp -m
multiport --dport smtp,pop3 \
-o eth0 -j ACCEPT
31 -A FORWARD -d mail.my-isp.com -m state --state NEW -p tcp -m
multiport --dport smtp,pop3 \
-o eth0 -j ACCEPT
32
33 # log all other attempted out going connections
34 -A OUTPUT -o eth0 -j LOG
35 -A FORWARD -j LOG
36 # default is to DROP out-going connections
37
38 COMMIT
39
40 *nat
41
42 # set up IP forwarding and nat
43 -A POSTROUTING -o eth0 -j SNAT --to 172.21.0.133
44
45 COMMIT
PS: Copied from http://linuxgazette.net/103/odonovan.html
#iptables-restore </root/testWall
#iptables-save
3.What i got:-
a)users can able to browse internet via squid proxy (192.168.0.1:3128)
i.e http/https
b)But can't able to access mails (POP3/SMTP) from our ISP mailserver.
can't able to go beyond my RedHat (AGNI) server, while i do traceroute of my
ISP's mailserver.
What i am doing wrong? please suggest
Thanks & regards,
Navneet Choudhary
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Linux as router (Gateway Server) [Revisited]
[not found] ` <1106851960.14748.6.camel@localhost.localdomain>
@ 2005-01-31 15:24 ` Navneet
2005-01-31 16:37 ` Jason Opperisano
2005-01-31 20:52 ` Michelle Konzack
0 siblings, 2 replies; 7+ messages in thread
From: Navneet @ 2005-01-31 15:24 UTC (permalink / raw)
To: Mohammad Khan, netfilter; +Cc: Askar
Many many thanks to all of you for devoting you valuable by reading &
replying to my mail(query).
Quick recaps and updates:
1.i am still using RedHat Linux 9
#uname -a
Linux agni.leo.com 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386
GNU/Linux
2.Having: RTL8139 on board + RTL 8029 plugged in(external label is of SMC
?).
#lspci -v
3:06.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8029(AS)
Subsystem: Standard Microsystems Corp [SMC] EZ-Card (SMC1208)
Flags: medium devsel, IRQ 5
I/O ports at cc00 [size=32]
Expansion ROM at ffffc000 [disabled] [size=16K]
03:0a.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)
Subsystem: Unknown device 1849:8139
Flags: bus master, medium devsel, latency 32, IRQ 3
I/O ports at c800 [size=256]
Memory at dfdfff00 (32-bit, non-prefetchable) [size=256]
Capabilities: [50] Power Management version 2
NOTE: should I use different NIC , that use different modules ?
3. iptables v1.2.7a
4.Now I am port redirecting i.e http/80 >>squid-cache/3128
adding my current iptables rules
5.users can browse Internet, but can't able to access FTP sites?
Please refer below for ftp error logs/X'fer log
6.What I am trying to :
a.> This Linux system should act as gateway 9router) between my LAN &
WAN.[Working]
b.> Act as proxy server trough Squid & url filtering by using SquidGuard.
[Working]
c.> Act as firewall
Allowed traffic http/https,POP3/SMTP,FTP & SonicMQ.
Please help in configuring this system
> just change eth0 to eth1
>nicer way,
>-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j SNAT --to-source
>172.21.0.133
Well thanks. I've used same natting rule (source natting) in my firewall.
But my external NIC is eth1 NOT eth1 .Any particular reason for using eth0
as external?
Below is my working tables rules.But i can't able to successfully establish
external ftp sites/servers.
i even loaded ip_conntrack_ftp
[root@leo root]# insmod ip_conntrack_ftp
Using /lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
[root@ leo root]# lsmod
Module Size Used by Not tainted
ip_conntrack_ftp 5296 0 (unused)
autofs 13268 0 (autoclean) (unused)
iptable_filter 2412 0 (autoclean) (unused)
ne2k-pci 7232 1
8390 8508 0 [ne2k-pci]
8139too 18088 1
mii 3976 0 [8139too]
ipt_REDIRECT 1368 1 (autoclean)
iptable_nat 21720 1 (autoclean) [ipt_REDIRECT]
ip_conntrack 26976 2 (autoclean) [ip_conntrack_ftp ipt_REDIRECT
ipt
able_nat]
iptable_mangle 2776 0 (autoclean) (unused)
ip_tables 15096 6 [iptable_filter ipt_REDIRECT iptable_nat
iptab
le_mangle]
microcode 4668 0 (autoclean)
keybdev 2944 0 (unused)
mousedev 5492 0 (unused)
hid 22148 0 (unused)
input 5856 0 [keybdev mousedev hid]
usb-uhci 26348 0 (unused)
ehci-hcd 19976 0 (unused)
usbcore 78784 1 [hid usb-uhci ehci-hcd]
ext3 70784 1
jbd 51892 1 [ext3]
Please refer belows log file for details:
##########FTP LOG STARTS##################
SYST
Not connected
Host type (I): Automatic detect
WINSOCK.DLL: WinSock 2.0
WS_FTP32 4.04, Copyright © 1992-1996 Ipswitch, Inc. All rights reserved.
- -
connecting to X.X.X.X...
Connected to X.X.X.X port 21
220 ProFTPD 1.2.4 Server (ftpserver) [X.X.X.X]
USER crpovsat
331 Password required for data
PASS xxxxxx
230 User crpovsat logged in.
Host type (I): UNIX (standard)
PWD
257 "/leo/ftp" is current directory.
PORT 192,168,0,234,11,12
500 Illegal PORT command.
DoDirList returned 0
#############IPTABLES RULES STARTS HERE#####################################
# Generated by iptables-save v1.2.7a on Mon Jan 31 18:08:44 2005
*filter
:INPUT ACCEPT [3142:390380]
:FORWARD ACCEPT [129:8201]
:OUTPUT ACCEPT [2368:283021]
COMMIT
# Completed on Mon Jan 31 18:08:44 2005
# Generated by iptables-save v1.2.7a on Mon Jan 31 18:08:44 2005
*nat
:PREROUTING ACCEPT [42124:6973903]
:POSTROUTING ACCEPT [3981:238915]
:OUTPUT ACCEPT [3981:238915]
-A PREROUTING -s 192.168.0.0/255.255.0.0 -i eth0 -p tcp -m tcp --dport 80 -j
REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.0.0/255.255.0.0 -o eth1 -j SNAT --to-source
172.21.0.132
COMMIT
# Completed on Mon Jan 31 18:08:44 2005
# Generated by iptables-save v1.2.7a on Mon Jan 31 18:08:44 2005
*mangle
:PREROUTING ACCEPT [91110:21827250]
:INPUT ACCEPT [85740:19815355]
:FORWARD ACCEPT [5288:2008168]
:OUTPUT ACCEPT [66867:17702084]
:POSTROUTING ACCEPT [72155:19710252]
COMMIT
# Completed on Mon Jan 31 18:08:44 2005
>It was very nice to see a Bangladeshi guy in netfilter list :p
>Let me know, if it works.
>
>
>Mohammad Khan
>(beeplove)
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Linux as router (Gateway Server) [Revisited]
2005-01-31 15:24 ` Linux as router (Gateway Server) [Revisited] Navneet
@ 2005-01-31 16:37 ` Jason Opperisano
2005-02-01 13:09 ` Navneet Choudhary
2005-01-31 20:52 ` Michelle Konzack
1 sibling, 1 reply; 7+ messages in thread
From: Jason Opperisano @ 2005-01-31 16:37 UTC (permalink / raw)
To: netfilter
On Mon, Jan 31, 2005 at 08:54:10PM +0530, Navneet wrote:
> Below is my working tables rules.But i can't able to successfully establish
> external ftp sites/servers.
>
> i even loaded ip_conntrack_ftp
but you didn't load ip_nat_ftp.
-j
--
"Here are your messages: 'You have thirty minutes to move your
car.' 'You have ten minutes to move your car.' 'Your car has been
impounded.' 'Your car has been crushed into a cube.' 'You have thirty
minutes to move your cube.'"
--The Simpsons
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Linux as router (Gateway Server) [Revisited]
2005-01-31 15:24 ` Linux as router (Gateway Server) [Revisited] Navneet
2005-01-31 16:37 ` Jason Opperisano
@ 2005-01-31 20:52 ` Michelle Konzack
1 sibling, 0 replies; 7+ messages in thread
From: Michelle Konzack @ 2005-01-31 20:52 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 3162 bytes --]
Am 2005-01-31 20:54:10, schrieb Navneet:
> Many many thanks to all of you for devoting you valuable by reading &
> replying to my mail(query).
>
> Quick recaps and updates:
>
> 1.i am still using RedHat Linux 9
A little bit to fat...
I use Debian GNU/Linux 3.0 with 2.4.27 on a K5-133
with 64 MB of memory and a 210 MB HDD.
> #uname -a
>
> Linux agni.leo.com 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386
> GNU/Linux
You should upgrade your kernel to 2.4.27 or higher.
> 2.Having: RTL8139 on board + RTL 8029 plugged in(external label is of SMC
> ?).
>
> #lspci -v
>
> 3:06.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8029(AS)
> Subsystem: Standard Microsystems Corp [SMC] EZ-Card (SMC1208)
> Flags: medium devsel, IRQ 5
> I/O ports at cc00 [size=32]
> Expansion ROM at ffffc000 [disabled] [size=16K]
>
> 03:0a.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
> RTL-8139/8139C/8139C+ (rev 10)
> Subsystem: Unknown device 1849:8139
> Flags: bus master, medium devsel, latency 32, IRQ 3
> I/O ports at c800 [size=256]
> Memory at dfdfff00 (32-bit, non-prefetchable) [size=256]
> Capabilities: [50] Power Management version 2
>
> NOTE: should I use different NIC , that use different modules ?
You can get better ones like the 3Com 3c509B and the 3c905{B,C}
on <http://www.ebay.com/> but better prices you can get on
<http://www.ebay.de/>.
> 3. iptables v1.2.7a
Upgrading ?
> 4.Now I am port redirecting i.e http/80 >>squid-cache/3128
>
> adding my current iptables rules
??? I have a transparent proxy, but do nothing with IP tables.
> 5.users can browse Internet, but can't able to access FTP sites?
Are you sure, you want this ?
> Please refer below for ftp error logs/X'fer log
>
> 6.What I am trying to :
>
> a.> This Linux system should act as gateway 9router) between my LAN &
> WAN.[Working]
>
> b.> Act as proxy server trough Squid & url filtering by using SquidGuard.
> [Working]
>
> c.> Act as firewall
>
> Allowed traffic http/https,POP3/SMTP,FTP & SonicMQ.
>
>
>
> Please help in configuring this system
What about:
man iptables
netfilter-HOWTO
NET3-HOWTO
firewall-HOWTO
man squid
> But my external NIC is eth1 NOT eth1 .Any particular reason for using eth0
^^^^ ^^^^
??? What ???
> as external?
> WINSOCK.DLL: WinSock 2.0
> WS_FTP32 4.04, Copyright © 1992-1996 Ipswitch, Inc. All rights reserved.
> PORT 192,168,0,234,11,12
^ ^ ^ ^^^^^^
Why are you using commas ?
And why two ports ?
It should be
PORT 192.168.0.234:21
> 500 Illegal PORT command.
> DoDirList returned 0
Do you Log-In with a script ?
Greetings
Michelle
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Michelle Konzack Apt. 917 ICQ #328449886
50, rue de Soultz MSM LinuxMichi
0033/3/88452356 67100 Strasbourg/France IRC #Debian (irc.icq.com)
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Linux as router (Gateway Server) [Revisited]
2005-01-31 16:37 ` Jason Opperisano
@ 2005-02-01 13:09 ` Navneet Choudhary
0 siblings, 0 replies; 7+ messages in thread
From: Navneet Choudhary @ 2005-02-01 13:09 UTC (permalink / raw)
To: Jason Opperisano, netfilter
On Mon, 31 Jan 2005 11:37:55 -0500, Jason Opperisano <opie@817west.com> wrote:
> On Mon, Jan 31, 2005 at 08:54:10PM +0530, Navneet wrote:
> > Below is my working tables rules.But i can't able to successfully establish
> > external ftp sites/servers.
> >
> > i even loaded ip_conntrack_ftp
>
> but you didn't load ip_nat_ftp.
thanks it solved my FTP problem.
> -j
>
> --
> "Here are your messages: 'You have thirty minutes to move your
> car.' 'You have ten minutes to move your car.' 'Your car has been
> impounded.' 'Your car has been crushed into a cube.' 'You have thirty
> minutes to move your cube.'"
> --The Simpsons
>
>
--
| / /_____ ___ ____________________ /_
__ |/ /_ __ `/_ | / /_ __ \ _ \ _ \ __/
_ /| / / /_/ /__ |/ /_ / / / __/ __/ /_
/_/ |_/ \__,_/ _____/ /_/ /_/\___/\___/\__/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Linux as router (Gateway Server)
2005-02-12 7:48 ` Fwd: Linux as router (Gateway Server) Navneet Choudhary
@ 2005-02-12 8:15 ` Askar
2005-02-13 16:06 ` Navneet Choudhary
0 siblings, 1 reply; 7+ messages in thread
From: Askar @ 2005-02-12 8:15 UTC (permalink / raw)
To: Navneet Choudhary; +Cc: netfilter@lists.netfilter.org
dude add this rule to yur iptables script
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
second "squid squid[3720]: Squid Parent: child process 3722
exited due to signal 6" is not iptables related, better place to check
is squid mailing list.
You are running squid in interception mode?
remember when squid is running in interception packets destined fro
squid machine not hit FORWARD chain but INPUT. :)
Note: which version of squid you are using, what cache.log say?
solution try to upgrade your squid with never version.
I hope this will help
regards
On Sat, 12 Feb 2005 13:18:25 +0530, Navneet Choudhary
<navneetkc@gmail.com> wrote:
> hi list,
>
> i require further co-operation from yours side.
>
> Squid Server is serving as Proxy server, Gateway & Firewall
>
> Problem:
> Squid daemon dies at startup.
>
> Here is log output of /var/log/messages
>
> Feb 12 09:15:25 squid squid[3652]: Squid Parent: child process 3654 started
> Feb 12 09:15:25 squid (squid): Cannot open HTTP Port
> Feb 12 09:15:29 squid squid[3720]: Squid Parent: child process 3722
> exited due to signal 6
> Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 started
> Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385
> exited with status 1
> Feb 12 09:15:33 squid (squid): Cannot open HTTP Port
>
> Why my iptables rule blocking squid to open HTTP port.
>
> Note: existing rule being attached at the end of mail
>
> Since, process will not die if I disable/flush my rules?
>
> Squid being started from /etc/rc.local
>
> Where i am doing mistakes?
>
> Please suggest since its causing startup hiccup
>
> Thanks & regards,
>
> Navneet Choudhary
>
> Updates & quick recap
>
> 1.> Basically I want clients to be able to :
>
> a). Send and receives mails from mail.ISP.net [X.X.X.160] and
> sometimes from X.X.X.78
> Status: Working
> b). Browse the net through squid [3128]
> Status: Working
>
> c). Use Jabber [??], MSN [1863] and Yahoo [5050]
> Status: Working
>
> d) Down and upload data using ftp from 202.134.192.21 & 221.171.85.41
>
> Status: Working
> e) Down and upload data using SONICMQ [IP & Port?]
>
> Status: Require HELP
> e) Allow SSH connection to this system [eth0].
> Status: Working
> f) We can ping/trace route by domain name i.e. ping yahoo.com
> Status: Working
>
> 2.What i am using?
>
> My network configuration is as follows: -
>
> WAN
> |
> eth1
> (172.21.0.133/28)
> |
> |
> Red Hat 9
> [Squid Proxy, Gateway ,firewall & FTP]
> |
> |
> |
> (133.147.0.0/16)
> eth0
> |
> ---- SWITCH----------
> |
> |
> |
> LAN
>
> where:-
> eth0-Intel Corp. 82557/8/9 [Ethernet Pro 100]
> eth1-Broadcom Corporation NetXtreme BCM5702 Gigabit Ethernet
>
> Kernel 2.4.20-8
>
> iptables v1.2.7a
>
> 3.What I have done:-
>
> a)Enabled IP forwarding by adding
> vi /etc/sysctl.conf
>
> # Controls IP packet forwarding
> net.ipv4.ip_forward = 1
>
> b)Automatic loading of modules by adding
> vi /etc/rc.local
>
> /sbin/insmod ip_nat_ftp
> /sbin/insmod ip_conntrack_ftp
>
> b)Firewall rules as follows:-
> # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> *mangle
> :PREROUTING ACCEPT [1308:428675]
> :INPUT ACCEPT [1308:428675]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1273:553710]
> :POSTROUTING ACCEPT [1273:553710]
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> COMMIT
> # Completed on Thu Feb 10 20:02:43 2005
> # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> *nat
> :PREROUTING ACCEPT [10233:846887]
> :POSTROUTING ACCEPT [71:4821]
> :OUTPUT ACCEPT [67:4688]
> -A POSTROUTING -s 133.147.0.0/255.255.0.0 -o eth1 -j SNAT --to-source
> 172.21.0.132
> COMMIT
> # Completed on Thu Feb 10 20:02:43 2005
> # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> -A INPUT -s 127.0.0.1 -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 3128
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 21
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 20
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -p udp -j DROP
> -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
> -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 25
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 20 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> 1863 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> 5050 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
> -A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 80
> --tcp-flags SYN,RST,ACK SYN -m owner --uid-owner squid -j ACCEPT
> -A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 443
> --tcp-flags SYN,RST,ACK SYN -m owner --uid-owner squid -j ACCEPT
> -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> COMMIT
> # Completed on Thu Feb 10 20:02:43 2005
>
>
--
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Linux as router (Gateway Server)
2005-02-12 8:15 ` Askar
@ 2005-02-13 16:06 ` Navneet Choudhary
0 siblings, 0 replies; 7+ messages in thread
From: Navneet Choudhary @ 2005-02-13 16:06 UTC (permalink / raw)
To: Askar; +Cc: netfilter@lists.netfilter.org
> dude add this rule to yur iptables script
> iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
tried this, problem still exists.
> second "squid squid[3720]: Squid Parent: child process 3722
> exited due to signal 6" is not iptables related, better place to check
> is squid mailing list.
Didn't i mentioned in my original mail
"Since, process will NOT die if I disable/flush my rules?"
> You are running squid in interception mode?
so , what
> remember when squid is running in interception packets destined fro
> squid machine not hit FORWARD chain but INPUT. :)
Then, allowing INPUT to port 80 should have worked?
Since, i've already allowed local loopback in my rules.
> Note: which version of squid you are using, what cache.log say?
> solution try to upgrade your squid with never version.
squid-2.5.STABLE7 at the time installation latest one.
upgrade? anyperticular strong reason for that?
> I hope this will help
>
> regards
>
> On Sat, 12 Feb 2005 13:18:25 +0530, Navneet Choudhary
> <navneetkc@gmail.com> wrote:
> > hi list,
> >
> > i require further co-operation from yours side.
> >
> > Squid Server is serving as Proxy server, Gateway & Firewall
> >
> > Problem:
> > Squid daemon dies at startup.
> >
> > Here is log output of /var/log/messages
> >
> > Feb 12 09:15:25 squid squid[3652]: Squid Parent: child process 3654 started
> > Feb 12 09:15:25 squid (squid): Cannot open HTTP Port
> > Feb 12 09:15:29 squid squid[3720]: Squid Parent: child process 3722
> > exited due to signal 6
> > Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 started
> > Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385
> > exited with status 1
> > Feb 12 09:15:33 squid (squid): Cannot open HTTP Port
> >
> > Why my iptables rule blocking squid to open HTTP port.
> >
> > Note: existing rule being attached at the end of mail
> >
> > Since, process will not die if I disable/flush my rules?
> >
> > Squid being started from /etc/rc.local
> >
> > Where i am doing mistakes?
> >
> > Please suggest since its causing startup hiccup
> >
> > Thanks & regards,
> >
> > Navneet Choudhary
> >
> > Updates & quick recap
> >
> > 1.> Basically I want clients to be able to :
> >
> > a). Send and receives mails from mail.ISP.net [X.X.X.160] and
> > sometimes from X.X.X.78
> > Status: Working
> > b). Browse the net through squid [3128]
> > Status: Working
> >
> > c). Use Jabber [??], MSN [1863] and Yahoo [5050]
> > Status: Working
> >
> > d) Down and upload data using ftp from 202.134.192.21 & 221.171.85.41
> >
> > Status: Working
> > e) Down and upload data using SONICMQ [IP & Port?]
> >
> > Status: Require HELP
> > e) Allow SSH connection to this system [eth0].
> > Status: Working
> > f) We can ping/trace route by domain name i.e. ping yahoo.com
> > Status: Working
> >
> > 2.What i am using?
> >
> > My network configuration is as follows: -
> >
> > WAN
> > |
> > eth1
> > (172.21.0.133/28)
> > |
> > |
> > Red Hat 9
> > [Squid Proxy, Gateway ,firewall & FTP]
> > |
> > |
> > |
> > (133.147.0.0/16)
> > eth0
> > |
> > ---- SWITCH----------
> > |
> > |
> > |
> > LAN
> >
> > where:-
> > eth0-Intel Corp. 82557/8/9 [Ethernet Pro 100]
> > eth1-Broadcom Corporation NetXtreme BCM5702 Gigabit Ethernet
> >
> > Kernel 2.4.20-8
> >
> > iptables v1.2.7a
> >
> > 3.What I have done:-
> >
> > a)Enabled IP forwarding by adding
> > vi /etc/sysctl.conf
> >
> > # Controls IP packet forwarding
> > net.ipv4.ip_forward = 1
> >
> > b)Automatic loading of modules by adding
> > vi /etc/rc.local
> >
> > /sbin/insmod ip_nat_ftp
> > /sbin/insmod ip_conntrack_ftp
> >
> > b)Firewall rules as follows:-
> > # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> > *mangle
> > :PREROUTING ACCEPT [1308:428675]
> > :INPUT ACCEPT [1308:428675]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [1273:553710]
> > :POSTROUTING ACCEPT [1273:553710]
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,PSH,URG -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,PSH,URG -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,PSH,URG -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,PSH,URG -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> > COMMIT
> > # Completed on Thu Feb 10 20:02:43 2005
> > # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> > *nat
> > :PREROUTING ACCEPT [10233:846887]
> > :POSTROUTING ACCEPT [71:4821]
> > :OUTPUT ACCEPT [67:4688]
> > -A POSTROUTING -s 133.147.0.0/255.255.0.0 -o eth1 -j SNAT --to-source
> > 172.21.0.132
> > COMMIT
> > # Completed on Thu Feb 10 20:02:43 2005
> > # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> > *filter
> > :INPUT DROP [0:0]
> > :FORWARD DROP [0:0]
> > :OUTPUT DROP [0:0]
> > -A INPUT -s 127.0.0.1 -j ACCEPT
> > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 3128
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 21
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 20
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A INPUT -p udp -j DROP
> > -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
> > -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> > -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 25
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> > 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 20 -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> > 1863 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> > 5050 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
> > -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
> > -A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 80
> > --tcp-flags SYN,RST,ACK SYN -m owner --uid-owner squid -j ACCEPT
> > -A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 443
> > --tcp-flags SYN,RST,ACK SYN -m owner --uid-owner squid -j ACCEPT
> > -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> > COMMIT
> > # Completed on Thu Feb 10 20:02:43 2005
> >
> >
>
> --
> I love deadlines. I like the whooshing sound they make as they fly by.
> Douglas Adams
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-02-13 16:06 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-01-19 14:37 Linux as router (Gateway Server) Navneet
[not found] ` <1106851960.14748.6.camel@localhost.localdomain>
2005-01-31 15:24 ` Linux as router (Gateway Server) [Revisited] Navneet
2005-01-31 16:37 ` Jason Opperisano
2005-02-01 13:09 ` Navneet Choudhary
2005-01-31 20:52 ` Michelle Konzack
[not found] <1dceb012050211233357e23dd4@mail.gmail.com>
2005-02-12 7:48 ` Fwd: Linux as router (Gateway Server) Navneet Choudhary
2005-02-12 8:15 ` Askar
2005-02-13 16:06 ` Navneet Choudhary
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.