iptables, squid and all related stuff

iptables, squid and all related stuff

[Luca Ferrari]

Hi,
I've got a problem with my firewall/proxy machine. I'm using iptables to 
firewalling packets and squid as proxy server for http on the port 8080. Each 
client in my subnet has the proxy set.
Now one client needs to access a special web service, available at port X on 
server Y thru a set of asp pages. I've enabled the connection thru the 
firewall for Y:X, but the client is still unable to connect to the service. 
There are no error from my side, no packet logged, but a TCP_MISS in squid 
logs. I have tried to enable and acl as the following:
acl   web_service    port X

....
http_access web_service

but it's still not working. Any idea?

Thanks,
Luca

-- 
Luca Ferrari,
fluca1978@virgilio.it

Re: iptables, squid and all related stuff

[cditrani]

> Hi,
> I've got a problem with my firewall/proxy machine. I'm using iptables to
> firewalling packets and squid as proxy server for http on the port 8080.
> Each
> client in my subnet has the proxy set.
> Now one client needs to access a special web service, available at port X
> on
> server Y thru a set of asp pages. I've enabled the connection thru the
> firewall for Y:X, but the client is still unable to connect to the
> service.
> There are no error from my side, no packet logged, but a TCP_MISS in squid
> logs. I have tried to enable and acl as the following:
> acl   web_service    port X
>
> ....
> http_access web_service
>
> but it's still not working. Any idea?



Is the client for this web service the browser? If not - if it's some
3rd-party app - it might not be using the proxy server and trying to
connect directy. We had this problem with a product licensing app that had
a hard-wired ip address and used socket directly, ignoring the proxy.

CD

Re: iptables, squid and all related stuff

[Luca Ferrari]

On Wednesday 19 May 2004 12:09 cditrani@livedata.com's cat walking on the 
keyboard  wrote:

> > Hi,
> > I've got a problem with my firewall/proxy machine. I'm using iptables to
> > firewalling packets and squid as proxy server for http on the port 8080.
> > Each
> > client in my subnet has the proxy set.
> > Now one client needs to access a special web service, available at port X
> > on
> > server Y thru a set of asp pages. I've enabled the connection thru the
> > firewall for Y:X, but the client is still unable to connect to the
> > service.
> > There are no error from my side, no packet logged, but a TCP_MISS in
> > squid logs. I have tried to enable and acl as the following:
> > acl   web_service    port X
> >
> > ....
> > http_access web_service
> >
> > but it's still not working. Any idea?
>
> Is the client for this web service the browser? If not - if it's some
> 3rd-party app - it might not be using the proxy server and trying to
> connect directy. We had this problem with a product licensing app that had
> a hard-wired ip address and used socket directly, ignoring the proxy.

The access is done thru the web browser, as the application use as well. 
Nevertheless the firewall already allows connection to such address, so I 
believe it's a proxy problem.

Luca

-- 
Luca Ferrari,
fluca1978@virgilio.it

Re: iptables, squid and all related stuff

[Luca Ferrari]

On Wednesday 19 May 2004 14:46 Adam Lang's cat walking on the keyboard  wrote:

> You didn't tell it what to do with that acl.
>
> http_access allow web_service
>
> Make sure you put it in front of any deny rules that would block it.  Life
> will be easier if you just add it to the safe_port list and put a comment
> at the end so you knwow hat it is for.
>
 
Thanks,
I've added the X port to the Safe_ports of the squid acls and now everything 
is right.

Luca


-- 
Luca Ferrari,
fluca1978@virgilio.it
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html