squid problem

squid problem

[varun_saa]

Hello,
      My iptables config file is as follows :

# Generated by iptables-save v1.2.9 on Fri Jan  7 20:56:35 2000
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jan  7 20:56:35 2000
# Generated by iptables-save v1.2.9 on Fri Jan  7 20:56:35 2000
*mangle
:PREROUTING ACCEPT [1024:195745]
:INPUT ACCEPT [1019:194076]
:FORWARD ACCEPT [2:144]
:OUTPUT ACCEPT [1000:192114]
:POSTROUTING ACCEPT [999:192086]
COMMIT
# Completed on Fri Jan  7 20:56:35 2000
# Generated by iptables-save v1.2.9 on Fri Jan  7 20:56:35 2000
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 3128 --sport 80 -j ACCEPT
-A INPUT -p udp -m udp -i eth1 --dport 3128 --sport 80 -j ACCEPT
-A INPUT -s 62.0.0.0/255.0.0.0 -i eth0 -j REJECT
-A INPUT -p tcp -m tcp -s 217.81.0.0/255.255.0.0 -i eth0 -j REJECT
-A INPUT -i eth0 -j DROP
-A INPUT -p tcp -m tcp -i eth1 --sport 80 -j DROP
-A INPUT -m state -i eth1 --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 --dport 25 --sport 1024: -j ACCEPT  --syn 
-A FORWARD -p tcp -i eth1 -o eth0 --dport 110 --sport 1024: -j ACCEPT  --syn 
-A FORWARD -p tcp -i eth1 -o eth0 --dport 1863 --sport 1024: -j ACCEPT  --syn 
-A FORWARD -p tcp -i eth1 -o eth0 --dport 5050 --sport 1024: -j ACCEPT  --syn 
-A OUTPUT -p udp --dport 53 --sport 1024: -j ACCEPT
-A OUTPUT -p tcp -m owner -o eth0 --dport 80 --sport 1024: --uid-owner squid -j ACCEPT  --syn 
COMMIT
# Completed on Fri Jan  7 20:56:35 2000


mails part is working

MSN is working.

I am able to browse without any proxy settings.
Which I do not want.

So I guess the traffic is not being redirected
properly.

I think I need to redirect all port 80 traffic to port 3128.
Though I am not sure.

Thanks for all the help so far.

Varun

Re: squid problem

[Jörg Harmuth]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi,

| Hello, My iptables config file is as follows :
|
| # Generated by iptables-save v1.2.9 on Fri Jan  7 20:56:35 2000
| *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING
| ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT #
| Completed on Fri Jan  7 20:56:35 2000 # Generated by iptables-save
| v1.2.9 on Fri Jan  7 20:56:35 2000 *mangle :PREROUTING ACCEPT
| [1024:195745] :INPUT ACCEPT [1019:194076] :FORWARD ACCEPT [2:144]
| :OUTPUT ACCEPT [1000:192114] :POSTROUTING ACCEPT [999:192086]
| COMMIT # Completed on Fri Jan  7 20:56:35 2000 # Generated by
| iptables-save v1.2.9 on Fri Jan  7 20:56:35 2000 *filter :FORWARD
| ACCEPT [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -j
| ACCEPT

This rules terminates chain traversing ! This means that ervery packet
is allowed and with this rules it doesn't matter what is the incoming
interface. So every packet from the internet and your LAN as well is
happily accepted.

| -A INPUT -s 127.0.0.1 -j ACCEPT -A INPUT -p tcp -m tcp -i eth1
| --dport 3128 --sport 80 -j ACCEPT

Hmm, I guess that your proxy is listening on port 3128, but I don't
understand --sport 80. May be this represents your clients ? The web
browsers ? If so it will simply not work and you need a rule like this:

- -A INPUT -p tcp -m tcp --dport 3128 --sport 1024: -i eth1 -m state
- --state NEW -j ACCEPT

or similar. This is because clients connect to server never from
privileged ports (1-1023), but always from port numbers greater than 1023.

| -A INPUT -p udp -m udp -i eth1 --dport 3128 --sport 80 -j ACCEPT

To be seen in combination with the above rule ? If so and my guesses
above are true, you don't need this rule, at least you don't need it
for surfing. Surfing is tcp, nor udp.

| -A INPUT -s 62.0.0.0/255.0.0.0 -i eth0 -j REJECT -A INPUT -p tcp -m
| tcp -s 217.81.0.0/255.255.0.0 -i eth0 -j REJECT -A INPUT -i eth0 -j
| DROP

eth0 is your internet interfaces ? Doesn't matter, you don't need this
rule, because your policy is DROP.

| -A INPUT -p tcp -m tcp -i eth1 --sport 80 -j DROP

You will hardly see a tcp source port 80.

| -A INPUT -m state -i eth1 --state ESTABLISHED,RELATED -j ACCEPT -A
| FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD
| -p tcp -i eth1 -o eth0 --dport 25 --sport 1024: -j ACCEPT  --syn -A
| FORWARD -p tcp -i eth1 -o eth0 --dport 110 --sport 1024: -j ACCEPT
| --syn -A FORWARD -p tcp -i eth1 -o eth0 --dport 1863 --sport 1024:
| -j ACCEPT  --syn -A FORWARD -p tcp -i eth1 -o eth0 --dport 5050
| --sport 1024: -j ACCEPT  --syn -A OUTPUT -p udp --dport 53 --sport
| 1024: -j ACCEPT -A OUTPUT -p tcp -m owner -o eth0 --dport 80
| --sport 1024: --uid-owner squid -j ACCEPT  --syn COMMIT # Completed
| on Fri Jan  7 20:56:35 2000
|
|
| mails part is working
|
| MSN is working.
|
| I am able to browse without any proxy settings. Which I do not
| want.
|
| So I guess the traffic is not being redirected properly.

Yes, the traffic is not redirected. There is no rule that specifies
this. Ok, you say that you don't want your clients to browse without
proxy settings, so you don't want a transparent proxy. You have to set
up your clients to connect to your proxy and then you have to add a
rule in the incoming chain like the one mentioned above. Your OUTPUT
policy is ACCEPT and there are no rules in the OUTPUT chain, so you
there's no need to add a rule to OUTPUT. BTW, my OUTPUT policy is DROP
(in filter) and thus I need rules in OUTPUT like

- -A OUTPUT -p tcp -m tcp --dport 80 -o $OUT_IFACE -m state --state NEW
- -j ACCEPT

Generally I think, it is best to set all policies to DROP (OR REJECT)
and then enable all those ports you need. You can watch the traffic
(and the ports in use) with tcpdump or iptraf or the like and thus
find out the ports you need. That's quite amazing and instructive.

|
| I think I need to redirect all port 80 traffic to port 3128. Though
| I am not sure.

Only if you want a transparent proxy.

|
| Thanks for all the help so far.
|
| Varun

HTH

Joerg

- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach

Tel.: (+49) 22 26  87 18 12
Fax:  (+49) 22 26 87 18 19
mail: harmuth@mnemon.de
Web:  http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.

This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFCCfWUt9fkjiZ7IE8RAoYpAJ4nQ+qVkdrvKgfzMla//dDZAX2zIACeIYyP
7VSlDpJ4faSt9ZTuna+oD0E=
=EWSl
-----END PGP SIGNATURE-----

Re: squid problem

[Sergio Basurto Juarez]

--- varun_saa@vsnl.net wrote:

> Hello,
>       My iptables config file is as follows :
> 
> # Generated by iptables-save v1.2.9 on Fri Jan  7
> 20:56:35 2000
> *nat
> :OUTPUT ACCEPT [0:0]
> :PREROUTING ACCEPT [0:0]
[snip]

I did not read all the rules that you have but the one
that redirects your traffic from port 80 to 3128 is as
follows:

iptables -t nat -A PREROUTING -i [internal interface]
-p tcp --dport 80 -j REDIRECT --to-port 3128

Also read the mini-HOWTO of transparent
proxy(tldp.org) because if you insert this rule but
don't change the configuration of squid it wont work.

Reagrds.

=====
-- 
Sergio Basurto J.

If I have seen further it is by standing on the 
shoulders of giants. (Isaac Newton)
--


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - 250MB free storage. Do more. Manage less. 
http://info.mail.yahoo.com/mail_250