Linux as router (Gateway Server)

Linux as router (Gateway Server)

[Navneet]

Dear all,

 I have a question,

"I only have a single network connection, but I would like all my computers
to have Internet access.
How is this possible?'

1.What i have?

My network configuration is as follows:-

          eth1
  (172.21.0.133/28)
               |
             |
    AGNI {RedHat 9[Squid Proxy,Gateway ,firewall & FTP] }
             |
             |
             |
     (192.168.0.0/16)
           eth0
              |
---- SWITCH----------
              |
              |
              |
          LAN


where:-
eth0-Intel Corp. 82557/8/9 [Ethernet Pro 100]
eth1-Broadcom Corporation NetXtreme BCM5702 Gigabit Ethernet

2.What i have done:-

a)Enabled IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward
& added above line in /etc/rc.d/rc.local

b)Firewall rules as follows:-

# vi testWall

1 *filter
 2 :INPUT DROP [0:0]
 3 :FORWARD DROP [0:0]
 4 :OUTPUT DROP [0:0]
 5
 6 # allow local loopback connections
 7 -A INPUT -i lo -j ACCEPT
 #allow echo-requests (pinging)
 8 -A INPUT -s 192.168.0.0/16 -d 0/0  -p icmp --icmp-type echo-request -j
ACCEPT
 9 # drop INVALID connections
10 -A INPUT   -m state --state INVALID -j DROP
11 -A OUTPUT  -m state --state INVALID -j DROP
12 -A FORWARD -m state --state INVALID -j DROP
13
14 # allow all established and related
15 -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
16 -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
17 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
18
19 # allow connections to my ISP's DNS servers
20 -A OUTPUT  -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -o eth0 -j
ACCEPT
21 -A OUTPUT  -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -o eth0 -j
ACCEPT
22 -A FORWARD -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -i eth0 -o
eth0 -j ACCEPT
23 -A FORWARD -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -i eth0 -o
eth0 -j ACCEPT
24
25 # allow outgoing connections to web servers
26 -A OUTPUT  -d 0/0 -m state --state NEW -p tcp -m multiport --dport
http,https -o eth0 -j ACCEPT
27 -A FORWARD -d 0/0 -m state --state NEW -p tcp -m multiport --dport
http,https -o eth0 \
 -i eth0 -j ACCEPT
28
29 # allow outgoing mail connections to my ISP's SMTP and POP3 server only
30 -A OUTPUT  -d mail.my-isp.com -m state --state NEW -p tcp -m
multiport --dport smtp,pop3 \
 -o eth0 -j ACCEPT
31 -A FORWARD -d mail.my-isp.com -m state --state NEW -p tcp -m
multiport --dport smtp,pop3 \
 -o eth0 -j ACCEPT
32
33 # log all other attempted out going connections
34 -A OUTPUT -o eth0 -j LOG
35 -A FORWARD -j LOG
36 # default is to DROP out-going connections
37
38 COMMIT
39
40 *nat
41
42 # set up IP forwarding and nat
43 -A POSTROUTING -o eth0 -j SNAT --to 172.21.0.133
44
45 COMMIT

PS: Copied from http://linuxgazette.net/103/odonovan.html

#iptables-restore </root/testWall

#iptables-save

3.What i got:-

a)users can able to browse internet via squid proxy (192.168.0.1:3128)
i.e http/https

b)But can't able to access mails (POP3/SMTP)  from our ISP mailserver.

can't able to go beyond my RedHat (AGNI) server, while i do traceroute of my
ISP's mailserver.

What i am doing wrong? please suggest



Thanks & regards,

Navneet Choudhary

Re: Linux as router (Gateway Server) [Revisited]

[Navneet]

Many many thanks to all of you for devoting you valuable by reading &
replying to my mail(query).



Quick recaps and updates:



1.i am still using RedHat Linux 9

#uname -a

Linux agni.leo.com 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386
GNU/Linux



2.Having: RTL8139 on board +  RTL 8029 plugged in(external label is of SMC
?).

#lspci -v

3:06.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8029(AS)

        Subsystem: Standard Microsystems Corp [SMC] EZ-Card (SMC1208)

        Flags: medium devsel, IRQ 5

        I/O ports at cc00 [size=32]

        Expansion ROM at ffffc000 [disabled] [size=16K]



03:0a.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)

        Subsystem: Unknown device 1849:8139

        Flags: bus master, medium devsel, latency 32, IRQ 3

        I/O ports at c800 [size=256]

        Memory at dfdfff00 (32-bit, non-prefetchable) [size=256]

        Capabilities: [50] Power Management version 2



NOTE: should I use different NIC , that use different modules ?



3. iptables  v1.2.7a



4.Now I am port redirecting i.e http/80 >>squid-cache/3128

adding my current iptables rules



5.users can browse Internet, but can't able to access FTP sites?



Please refer below for ftp error logs/X'fer log



6.What I am trying to :

a.>  This Linux system should act as gateway 9router) between my LAN &
WAN.[Working]

b.>  Act as proxy server trough Squid & url filtering by using SquidGuard.
[Working]

c.>  Act as firewall

Allowed traffic http/https,POP3/SMTP,FTP & SonicMQ.



Please help in configuring this system





> just change eth0 to eth1

>nicer way,
>-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j SNAT --to-source
>172.21.0.133



Well thanks. I've used same natting rule (source natting) in my firewall.



But my external NIC is eth1 NOT eth1 .Any particular reason for using eth0
as external?



Below is my working tables rules.But i can't able to successfully establish
external ftp sites/servers.

i even loaded ip_conntrack_ftp



[root@leo root]# insmod ip_conntrack_ftp
Using /lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
[root@ leo root]# lsmod
Module                  Size  Used by    Not tainted
ip_conntrack_ftp        5296   0  (unused)
autofs                 13268   0  (autoclean) (unused)
iptable_filter          2412   0  (autoclean) (unused)
ne2k-pci                7232   1
8390                    8508   0  [ne2k-pci]
8139too                18088   1
mii                     3976   0  [8139too]
ipt_REDIRECT            1368   1  (autoclean)
iptable_nat            21720   1  (autoclean) [ipt_REDIRECT]
ip_conntrack           26976   2  (autoclean) [ip_conntrack_ftp ipt_REDIRECT
ipt
able_nat]
iptable_mangle          2776   0  (autoclean) (unused)
ip_tables              15096   6  [iptable_filter ipt_REDIRECT iptable_nat
iptab
le_mangle]
microcode               4668   0  (autoclean)
keybdev                 2944   0  (unused)
mousedev                5492   0  (unused)
hid                    22148   0  (unused)
input                   5856   0  [keybdev mousedev hid]
usb-uhci               26348   0  (unused)
ehci-hcd               19976   0  (unused)
usbcore                78784   1  [hid usb-uhci ehci-hcd]
ext3                   70784   1
jbd                    51892   1  [ext3]

Please refer belows log file for details:



##########FTP LOG STARTS##################

SYST
Not connected
Host type (I): Automatic detect
WINSOCK.DLL: WinSock 2.0
WS_FTP32 4.04, Copyright © 1992-1996 Ipswitch, Inc. All rights reserved.
- -
connecting to X.X.X.X...
Connected to X.X.X.X port 21
220 ProFTPD 1.2.4 Server (ftpserver) [X.X.X.X]
USER crpovsat
331 Password required for data
PASS xxxxxx
230 User crpovsat logged in.
Host type (I): UNIX (standard)
PWD
257 "/leo/ftp" is current directory.
PORT 192,168,0,234,11,12
500 Illegal PORT command.
DoDirList returned 0

#############IPTABLES RULES STARTS HERE#####################################

# Generated by iptables-save v1.2.7a on Mon Jan 31 18:08:44 2005
*filter
:INPUT ACCEPT [3142:390380]
:FORWARD ACCEPT [129:8201]
:OUTPUT ACCEPT [2368:283021]
COMMIT
# Completed on Mon Jan 31 18:08:44 2005
# Generated by iptables-save v1.2.7a on Mon Jan 31 18:08:44 2005
*nat
:PREROUTING ACCEPT [42124:6973903]
:POSTROUTING ACCEPT [3981:238915]
:OUTPUT ACCEPT [3981:238915]
-A PREROUTING -s 192.168.0.0/255.255.0.0 -i eth0 -p tcp -m tcp --dport 80 -j
REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.0.0/255.255.0.0 -o eth1 -j SNAT --to-source
172.21.0.132
COMMIT
# Completed on Mon Jan 31 18:08:44 2005
# Generated by iptables-save v1.2.7a on Mon Jan 31 18:08:44 2005
*mangle
:PREROUTING ACCEPT [91110:21827250]
:INPUT ACCEPT [85740:19815355]
:FORWARD ACCEPT [5288:2008168]
:OUTPUT ACCEPT [66867:17702084]
:POSTROUTING ACCEPT [72155:19710252]
COMMIT
# Completed on Mon Jan 31 18:08:44 2005


>It was very nice to see a Bangladeshi guy in netfilter list :p

>Let me know, if it works.
>
>
>Mohammad Khan
>(beeplove)

Re: Linux as router (Gateway Server) [Revisited]

[Jason Opperisano]

On Mon, Jan 31, 2005 at 08:54:10PM +0530, Navneet wrote:
> Below is my working tables rules.But i can't able to successfully establish
> external ftp sites/servers.
> 
> i even loaded ip_conntrack_ftp

but you didn't load ip_nat_ftp.

-j

--
"Here are your messages: 'You have thirty minutes to move your
 car.' 'You have ten minutes to move your car.' 'Your car has been
 impounded.' 'Your car has been crushed into a cube.' 'You have thirty
 minutes to move your cube.'"
        --The Simpsons

Re: Linux as router (Gateway Server) [Revisited]

[Navneet Choudhary]

On Mon, 31 Jan 2005 11:37:55 -0500, Jason Opperisano <opie@817west.com> wrote:
> On Mon, Jan 31, 2005 at 08:54:10PM +0530, Navneet wrote:
> > Below is my working tables rules.But i can't able to successfully establish
> > external ftp sites/servers.
> >
> > i even loaded ip_conntrack_ftp
> 
> but you didn't load ip_nat_ftp.

thanks it solved my FTP problem.


> -j
> 
> --
> "Here are your messages: 'You have thirty minutes to move your
>  car.' 'You have ten minutes to move your car.' 'Your car has been
>  impounded.' 'Your car has been crushed into a cube.' 'You have thirty
>  minutes to move your cube.'"
>         --The Simpsons
> 
> 


-- 
  | / /_____ ___   ____________________  /_
__   |/ /_  __ `/_ | / /_  __ \  _ \  _ \  __/
_  /|  / / /_/ /__ |/ /_  / / /  __/  __/ /_  
/_/ |_/  \__,_/ _____/ /_/ /_/\___/\___/\__/

Re: Linux as router (Gateway Server) [Revisited]

[Michelle Konzack]

[-- Attachment #1: Type: text/plain, Size: 3162 bytes --]

Am 2005-01-31 20:54:10, schrieb Navneet:
> Many many thanks to all of you for devoting you valuable by reading &
> replying to my mail(query).
> 
> Quick recaps and updates:
> 
> 1.i am still using RedHat Linux 9

A little bit to fat...
I use Debian GNU/Linux 3.0 with 2.4.27 on a K5-133
with 64 MB of memory and a 210 MB HDD.

> #uname -a
> 
> Linux agni.leo.com 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386
> GNU/Linux

You should upgrade your kernel to 2.4.27 or higher.

> 2.Having: RTL8139 on board +  RTL 8029 plugged in(external label is of SMC
> ?).
> 
> #lspci -v
> 
> 3:06.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8029(AS)
>         Subsystem: Standard Microsystems Corp [SMC] EZ-Card (SMC1208)
>         Flags: medium devsel, IRQ 5
>         I/O ports at cc00 [size=32]
>         Expansion ROM at ffffc000 [disabled] [size=16K]
> 
> 03:0a.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
> RTL-8139/8139C/8139C+ (rev 10)
>         Subsystem: Unknown device 1849:8139
>         Flags: bus master, medium devsel, latency 32, IRQ 3
>         I/O ports at c800 [size=256]
>         Memory at dfdfff00 (32-bit, non-prefetchable) [size=256]
>         Capabilities: [50] Power Management version 2
> 
> NOTE: should I use different NIC , that use different modules ?

You can get better ones like the 3Com 3c509B and the 3c905{B,C}
on <http://www.ebay.com/> but better prices you can get on
<http://www.ebay.de/>.

> 3. iptables  v1.2.7a

Upgrading ?

> 4.Now I am port redirecting i.e http/80 >>squid-cache/3128
> 
> adding my current iptables rules

??? I have a transparent proxy, but do nothing with IP tables.

> 5.users can browse Internet, but can't able to access FTP sites?

Are you sure, you want this ?

> Please refer below for ftp error logs/X'fer log
> 
> 6.What I am trying to :
> 
> a.>  This Linux system should act as gateway 9router) between my LAN &
> WAN.[Working]
> 
> b.>  Act as proxy server trough Squid & url filtering by using SquidGuard.
> [Working]
> 
> c.>  Act as firewall
> 
> Allowed traffic http/https,POP3/SMTP,FTP & SonicMQ.
> 
> 
> 
> Please help in configuring this system

What about:
        man iptables
        netfilter-HOWTO
        NET3-HOWTO
        firewall-HOWTO

        man squid

> But my external NIC is eth1 NOT eth1 .Any particular reason for using eth0
                         ^^^^     ^^^^
                          ??? What ???
> as external?

> WINSOCK.DLL: WinSock 2.0
> WS_FTP32 4.04, Copyright © 1992-1996 Ipswitch, Inc. All rights reserved.

> PORT 192,168,0,234,11,12
          ^   ^ ^   ^^^^^^
Why are you using commas ?
And why two ports ?

It should be

PORT 192.168.0.234:21

> 500 Illegal PORT command.
> DoDirList returned 0

Do you Log-In with a script ?

Greetings
Michelle

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/ 
Michelle Konzack   Apt. 917                  ICQ #328449886
                   50, rue de Soultz         MSM LinuxMichi
0033/3/88452356    67100 Strasbourg/France   IRC #Debian (irc.icq.com)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Fwd: Linux as router (Gateway Server)

[Navneet Choudhary]

hi list,

i require further co-operation from yours side.

Squid Server is serving as Proxy server, Gateway & Firewall

Problem:
Squid daemon dies at startup.

Here is log output of  /var/log/messages

Feb 12 09:15:25 squid squid[3652]: Squid Parent: child process 3654 started
Feb 12 09:15:25 squid (squid): Cannot open HTTP Port
Feb 12 09:15:29 squid squid[3720]: Squid Parent: child process 3722
exited due to signal 6
Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 started
Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385
exited with status 1
Feb 12 09:15:33 squid (squid): Cannot open HTTP Port

Why my iptables rule blocking squid to open HTTP port.

Note: existing rule being attached at the end of mail

Since, process will not die if I disable/flush my rules?

Squid being started from /etc/rc.local

Where i am doing mistakes?

Please suggest since its causing startup hiccup

Thanks & regards,

Navneet Choudhary

Updates & quick recap

1.> Basically I want clients to be able to :

 a). Send and receives mails from mail.ISP.net [X.X.X.160] and
sometimes from X.X.X.78
Status: Working
b). Browse the net through squid [3128]
Status: Working

c). Use Jabber [??], MSN [1863] and Yahoo [5050]
Status: Working

d) Down and upload data using ftp from 202.134.192.21 & 221.171.85.41

Status: Working
e) Down and upload data using SONICMQ [IP & Port?]

Status: Require HELP
e) Allow SSH connection to this system [eth0].
Status: Working
f) We can ping/trace route by domain name i.e. ping yahoo.com
Status:  Working

2.What i am using?

My network configuration is as follows: -

          WAN
             |
          eth1
  (172.21.0.133/28)
             |
             |
      Red Hat 9
[Squid Proxy, Gateway ,firewall & FTP]
             |
             |
             |
    (133.147.0.0/16)
           eth0
              |
---- SWITCH----------
              |
              |
              |
          LAN

where:-
eth0-Intel Corp. 82557/8/9 [Ethernet Pro 100]
eth1-Broadcom Corporation NetXtreme BCM5702 Gigabit Ethernet

Kernel 2.4.20-8

iptables  v1.2.7a

3.What I have done:-

a)Enabled IP forwarding by adding
vi  /etc/sysctl.conf

 # Controls IP packet forwarding
net.ipv4.ip_forward = 1

b)Automatic loading of modules by adding
vi  /etc/rc.local

/sbin/insmod ip_nat_ftp
/sbin/insmod ip_conntrack_ftp

b)Firewall rules as follows:-
# Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
*mangle
:PREROUTING ACCEPT [1308:428675]
:INPUT ACCEPT [1308:428675]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1273:553710]
:POSTROUTING ACCEPT [1273:553710]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
# Completed on Thu Feb 10 20:02:43 2005
# Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
*nat
:PREROUTING ACCEPT [10233:846887]
:POSTROUTING ACCEPT [71:4821]
:OUTPUT ACCEPT [67:4688]
-A POSTROUTING -s 133.147.0.0/255.255.0.0 -o eth1 -j SNAT --to-source
172.21.0.132
COMMIT
# Completed on Thu Feb 10 20:02:43 2005
# Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 3128
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 21
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 20
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 25
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 20 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
1863 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
5050 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 80
--tcp-flags SYN,RST,ACK SYN  -m owner --uid-owner squid -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 443
--tcp-flags SYN,RST,ACK SYN -m owner --uid-owner squid -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT
# Completed on Thu Feb 10 20:02:43 2005

Re: Linux as router (Gateway Server)

[Askar]

dude add this rule to yur iptables script 
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT


second "squid squid[3720]: Squid Parent: child process 3722
exited due to signal 6" is not iptables related, better place to check
is squid mailing list.
You are running squid in interception mode?
remember when squid is running in interception packets destined fro
squid machine not hit FORWARD chain but INPUT. :)

Note: which version of squid you are using, what cache.log say?
solution try to upgrade your squid with never version.

I hope this will help

regards

On Sat, 12 Feb 2005 13:18:25 +0530, Navneet Choudhary
<navneetkc@gmail.com> wrote:
> hi list,
> 
> i require further co-operation from yours side.
> 
> Squid Server is serving as Proxy server, Gateway & Firewall
> 
> Problem:
> Squid daemon dies at startup.
> 
> Here is log output of  /var/log/messages
> 
> Feb 12 09:15:25 squid squid[3652]: Squid Parent: child process 3654 started
> Feb 12 09:15:25 squid (squid): Cannot open HTTP Port
> Feb 12 09:15:29 squid squid[3720]: Squid Parent: child process 3722
> exited due to signal 6
> Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 started
> Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385
> exited with status 1
> Feb 12 09:15:33 squid (squid): Cannot open HTTP Port
> 
> Why my iptables rule blocking squid to open HTTP port.
> 
> Note: existing rule being attached at the end of mail
> 
> Since, process will not die if I disable/flush my rules?
> 
> Squid being started from /etc/rc.local
> 
> Where i am doing mistakes?
> 
> Please suggest since its causing startup hiccup
> 
> Thanks & regards,
> 
> Navneet Choudhary
> 
> Updates & quick recap
> 
> 1.> Basically I want clients to be able to :
> 
>  a). Send and receives mails from mail.ISP.net [X.X.X.160] and
> sometimes from X.X.X.78
> Status: Working
> b). Browse the net through squid [3128]
> Status: Working
> 
> c). Use Jabber [??], MSN [1863] and Yahoo [5050]
> Status: Working
> 
> d) Down and upload data using ftp from 202.134.192.21 & 221.171.85.41
> 
> Status: Working
> e) Down and upload data using SONICMQ [IP & Port?]
> 
> Status: Require HELP
> e) Allow SSH connection to this system [eth0].
> Status: Working
> f) We can ping/trace route by domain name i.e. ping yahoo.com
> Status:  Working
> 
> 2.What i am using?
> 
> My network configuration is as follows: -
> 
>           WAN
>              |
>           eth1
>   (172.21.0.133/28)
>              |
>              |
>       Red Hat 9
> [Squid Proxy, Gateway ,firewall & FTP]
>              |
>              |
>              |
>     (133.147.0.0/16)
>            eth0
>               |
> ---- SWITCH----------
>               |
>               |
>               |
>           LAN
> 
> where:-
> eth0-Intel Corp. 82557/8/9 [Ethernet Pro 100]
> eth1-Broadcom Corporation NetXtreme BCM5702 Gigabit Ethernet
> 
> Kernel 2.4.20-8
> 
> iptables  v1.2.7a
> 
> 3.What I have done:-
> 
> a)Enabled IP forwarding by adding
> vi  /etc/sysctl.conf
> 
>  # Controls IP packet forwarding
> net.ipv4.ip_forward = 1
> 
> b)Automatic loading of modules by adding
> vi  /etc/rc.local
> 
> /sbin/insmod ip_nat_ftp
> /sbin/insmod ip_conntrack_ftp
> 
> b)Firewall rules as follows:-
> # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> *mangle
> :PREROUTING ACCEPT [1308:428675]
> :INPUT ACCEPT [1308:428675]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1273:553710]
> :POSTROUTING ACCEPT [1273:553710]
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> COMMIT
> # Completed on Thu Feb 10 20:02:43 2005
> # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> *nat
> :PREROUTING ACCEPT [10233:846887]
> :POSTROUTING ACCEPT [71:4821]
> :OUTPUT ACCEPT [67:4688]
> -A POSTROUTING -s 133.147.0.0/255.255.0.0 -o eth1 -j SNAT --to-source
> 172.21.0.132
> COMMIT
> # Completed on Thu Feb 10 20:02:43 2005
> # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> -A INPUT -s 127.0.0.1 -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 3128
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 21
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 20
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -p udp -j DROP
> -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
> -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 25
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 20 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> 1863 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> 5050 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
> -A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 80
> --tcp-flags SYN,RST,ACK SYN  -m owner --uid-owner squid -j ACCEPT
> -A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 443
> --tcp-flags SYN,RST,ACK SYN -m owner --uid-owner squid -j ACCEPT
> -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> COMMIT
> # Completed on Thu Feb 10 20:02:43 2005
> 
> 


-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams

Re: Linux as router (Gateway Server)

[Navneet Choudhary]

> dude add this rule to yur iptables script
> iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT

tried this, problem still exists.

> second "squid squid[3720]: Squid Parent: child process 3722
> exited due to signal 6" is not iptables related, better place to check
> is squid mailing list.

Didn't i mentioned in my original mail

"Since, process will NOT die if I disable/flush my rules?"

> You are running squid in interception mode?
so , what

> remember when squid is running in interception packets destined fro
> squid machine not hit FORWARD chain but INPUT. :)

Then, allowing INPUT to port 80 should have worked?
Since, i've already allowed local loopback in my rules.
 
> Note: which version of squid you are using, what cache.log say?
> solution try to upgrade your squid with never version.

squid-2.5.STABLE7  at the time installation latest one.
upgrade? anyperticular strong reason for that?
 
> I hope this will help
> 
> regards
> 
> On Sat, 12 Feb 2005 13:18:25 +0530, Navneet Choudhary
> <navneetkc@gmail.com> wrote:
> > hi list,
> >
> > i require further co-operation from yours side.
> >
> > Squid Server is serving as Proxy server, Gateway & Firewall
> >
> > Problem:
> > Squid daemon dies at startup.
> >
> > Here is log output of  /var/log/messages
> >
> > Feb 12 09:15:25 squid squid[3652]: Squid Parent: child process 3654 started
> > Feb 12 09:15:25 squid (squid): Cannot open HTTP Port
> > Feb 12 09:15:29 squid squid[3720]: Squid Parent: child process 3722
> > exited due to signal 6
> > Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 started
> > Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385
> > exited with status 1
> > Feb 12 09:15:33 squid (squid): Cannot open HTTP Port
> >
> > Why my iptables rule blocking squid to open HTTP port.
> >
> > Note: existing rule being attached at the end of mail
> >
> > Since, process will not die if I disable/flush my rules?
> >
> > Squid being started from /etc/rc.local
> >
> > Where i am doing mistakes?
> >
> > Please suggest since its causing startup hiccup
> >
> > Thanks & regards,
> >
> > Navneet Choudhary
> >
> > Updates & quick recap
> >
> > 1.> Basically I want clients to be able to :
> >
> >  a). Send and receives mails from mail.ISP.net [X.X.X.160] and
> > sometimes from X.X.X.78
> > Status: Working
> > b). Browse the net through squid [3128]
> > Status: Working
> >
> > c). Use Jabber [??], MSN [1863] and Yahoo [5050]
> > Status: Working
> >
> > d) Down and upload data using ftp from 202.134.192.21 & 221.171.85.41
> >
> > Status: Working
> > e) Down and upload data using SONICMQ [IP & Port?]
> >
> > Status: Require HELP
> > e) Allow SSH connection to this system [eth0].
> > Status: Working
> > f) We can ping/trace route by domain name i.e. ping yahoo.com
> > Status:  Working
> >
> > 2.What i am using?
> >
> > My network configuration is as follows: -
> >
> >           WAN
> >              |
> >           eth1
> >   (172.21.0.133/28)
> >              |
> >              |
> >       Red Hat 9
> > [Squid Proxy, Gateway ,firewall & FTP]
> >              |
> >              |
> >              |
> >     (133.147.0.0/16)
> >            eth0
> >               |
> > ---- SWITCH----------
> >               |
> >               |
> >               |
> >           LAN
> >
> > where:-
> > eth0-Intel Corp. 82557/8/9 [Ethernet Pro 100]
> > eth1-Broadcom Corporation NetXtreme BCM5702 Gigabit Ethernet
> >
> > Kernel 2.4.20-8
> >
> > iptables  v1.2.7a
> >
> > 3.What I have done:-
> >
> > a)Enabled IP forwarding by adding
> > vi  /etc/sysctl.conf
> >
> >  # Controls IP packet forwarding
> > net.ipv4.ip_forward = 1
> >
> > b)Automatic loading of modules by adding
> > vi  /etc/rc.local
> >
> > /sbin/insmod ip_nat_ftp
> > /sbin/insmod ip_conntrack_ftp
> >
> > b)Firewall rules as follows:-
> > # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> > *mangle
> > :PREROUTING ACCEPT [1308:428675]
> > :INPUT ACCEPT [1308:428675]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [1273:553710]
> > :POSTROUTING ACCEPT [1273:553710]
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,PSH,URG -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,PSH,URG -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,PSH,URG -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,PSH,URG -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> > COMMIT
> > # Completed on Thu Feb 10 20:02:43 2005
> > # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> > *nat
> > :PREROUTING ACCEPT [10233:846887]
> > :POSTROUTING ACCEPT [71:4821]
> > :OUTPUT ACCEPT [67:4688]
> > -A POSTROUTING -s 133.147.0.0/255.255.0.0 -o eth1 -j SNAT --to-source
> > 172.21.0.132
> > COMMIT
> > # Completed on Thu Feb 10 20:02:43 2005
> > # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> > *filter
> > :INPUT DROP [0:0]
> > :FORWARD DROP [0:0]
> > :OUTPUT DROP [0:0]
> > -A INPUT -s 127.0.0.1 -j ACCEPT
> > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 3128
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 21
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 20
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A INPUT -p udp -j DROP
> > -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
> > -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> > -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 25
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> > 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 20 -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> > 1863 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> > 5050 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
> > -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
> > -A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 80
> > --tcp-flags SYN,RST,ACK SYN  -m owner --uid-owner squid -j ACCEPT
> > -A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 443
> > --tcp-flags SYN,RST,ACK SYN -m owner --uid-owner squid -j ACCEPT
> > -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> > COMMIT
> > # Completed on Thu Feb 10 20:02:43 2005
> >
> >
> 
> --
> I love deadlines. I like the whooshing sound they make as they fly by.
> Douglas Adams
>