Proxy Filter iptable Settings

Proxy Filter iptable Settings

[Mike Hendrie]

All,
I have a PROXY server with 2 Nics.  One is public facing NIC, the
other is private facing Nic.

What would be the best settings to force all private IPs, on the LAN,
to pass through the Proxy server?

Thank you,
Mike

Re: Proxy Filter iptable Settings

[Andrew Beverley]

On Tue, 2011-04-26 at 22:07 -0500, Mike Hendrie wrote:
> All,
> I have a PROXY server with 2 Nics.  One is public facing NIC, the
> other is private facing Nic.

I assume that you mean a web proxy and that all your clients already use
the server as their default gateway?

> What would be the best settings to force all private IPs, on the LAN,
> to pass through the Proxy server?

Depending on the answer to the above, something like this:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
	-j REDIRECT --to-port 3128

Your proxy server will need to support transparent proxying.

Andy

Re: Proxy Filter iptable Settings

[Mike Hendrie]

Thanks for the response. Once I implemented your suggestion, I get the
following error when trying to access the school's website from WITHIN
the LAN. Why can it not find the URL?

ERROR

The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL:
http://www.twinlakes.k12.wi.us/

Connection to 216.56.4.133 failed.
The system returned: (110) Connection timed out


Best Regards,
Mike

On Wed, Apr 27, 2011 at 1:16 AM, Andrew Beverley <andy@andybev.com> wrote:
> On Tue, 2011-04-26 at 22:07 -0500, Mike Hendrie wrote:
>> All,
>> I have a PROXY server with 2 Nics.  One is public facing NIC, the
>> other is private facing Nic.
>
> I assume that you mean a web proxy and that all your clients already use
> the server as their default gateway?
>
>> What would be the best settings to force all private IPs, on the LAN,
>> to pass through the Proxy server?
>
> Depending on the answer to the above, something like this:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
>        -j REDIRECT --to-port 3128
>
> Your proxy server will need to support transparent proxying.
>
> Andy
>
>
>

Re: Proxy Filter iptable Settings

[Vigneswaran R]

On 04/27/2011 04:56 PM, Mike Hendrie wrote:
> Thanks for the response. Once I implemented your suggestion, I get the
> following error when trying to access the school's website from WITHIN
> the LAN. Why can it not find the URL?
>
> ERROR
>
> The requested URL could not be retrieved
>
> The following error was encountered while trying to retrieve the URL:
> http://www.twinlakes.k12.wi.us/
>
> Connection to 216.56.4.133 failed.
> The system returned: (110) Connection timed out

I assume that you want to give access to the Internet for all the 
machines in the LAN, through your "PROXY" server. ie., making the server 
an Internet Gateway.

If so, the following should work,

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

Here, replace the 192.168.1.0/24 with the correct IP address range used 
in your LAN. Please ensure that all the machines have the default route 
pointing to the server.

This allows, all kinds of traffic like http, ftp, ssh etc., to the 
public sites. If necessary, add further iptables rules to restrict this. 
Hope this helps.


Regards,
Vignesh

Re: Proxy Filter iptable Settings

[Mike Hendrie]

I tried:
sudo  iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
REDIRECT --to- 8080
iptables -t nat -A POSTROUTING -s 172.20.0.0/16 -j MASQUERADE

And still ended up with the same message:

ERROR
The requested URL could not be retrieved

--------------------------------------------------------------------------------

The following error was encountered while trying to retrieve the URL:
http://twinlakes.k12.wi.us/

Connection to 216.56.4.133 failed.

The system returned: (110) Connection timed out

The remote host or network may be down. Please try the request again.

Your cache administrator is webmaster.




--------------------------------------------------------------------------------

Generated Wed, 27 Apr 2011 12:46:38 GMT by localhost (squid/2.7.STABLE9)




On Wed, Apr 27, 2011 at 7:17 AM, Vigneswaran R <vignesh@atc.tcs.com> wrote:
> On 04/27/2011 04:56 PM, Mike Hendrie wrote:
>>
>> Thanks for the response. Once I implemented your suggestion, I get the
>> following error when trying to access the school's website from WITHIN
>> the LAN. Why can it not find the URL?
>>
>> ERROR
>>
>> The requested URL could not be retrieved
>>
>> The following error was encountered while trying to retrieve the URL:
>> http://www.twinlakes.k12.wi.us/
>>
>> Connection to 216.56.4.133 failed.
>> The system returned: (110) Connection timed out
>
> I assume that you want to give access to the Internet for all the machines
> in the LAN, through your "PROXY" server. ie., making the server an Internet
> Gateway.
>
> If so, the following should work,
>
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
>
> Here, replace the 192.168.1.0/24 with the correct IP address range used in
> your LAN. Please ensure that all the machines have the default route
> pointing to the server.
>
> This allows, all kinds of traffic like http, ftp, ssh etc., to the public
> sites. If necessary, add further iptables rules to restrict this. Hope this
> helps.
>
>
> Regards,
> Vignesh
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Proxy Filter iptable Settings

[Vigneswaran R]

On 04/27/2011 06:15 PM, Mike Hendrie wrote:
> I tried:
> sudo  iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
> REDIRECT --to- 8080
> iptables -t nat -A POSTROUTING -s 172.20.0.0/16 -j MASQUERADE
>
> And still ended up with the same message

You should not have both rules in place. Basically Andy's suggestion and 
my suggestion are based on two different assumptions. Please select one, 
based on your scenario.

Scenario #1 Running Web Proxy

If you are running a web proxy like squid, please ensure that it is 
listening on the correct port (seems, 8080 in your case), and configured 
correctly (to allow your subnet etc).

Also, ensure that the machines on the LAN have the proxy settings in 
place, for various applications like web browser, email client etc.

I am not sure why do you need an iptables rule in this scenario. Are you 
looking for something like, the machines on the LAN won't have proxy 
settings for different applications, but still have to reach Internet 
through web proxy?

Scenario #2 Configuring server as the Internet Gateway

If you want to configure your server as the Internet Gateway, please add 
the following iptables rule to the server,

iptables -t nat -A POSTROUTING -s 172.20.0.0/16 -j MASQUERADE

Also, ensure that all the machines in the LAN should point your server 
as the default gateway.

ip ro add default via 172.20.1.1

Here, I assume that your server's internal IP is 172.20.1.1.


Regards,
Vignesh

Re: Proxy Filter iptable Settings

[Mike Hendrie]

Alright. Please let me explain.

I am implementing squid in the school.

Squid box 172.20.0.3
All workstations gateway are 172.20.0.3
All workstations proxy settings are 172.30.0.3:8080

The proxy settings are working fine for blocking content, however, I
am having the following issues:

The school's web server is hosted locally. When the workstations try
to access the site via the public domain name, it fails.
Also, there are several applications the school uses. These
applications range from port 5000-5005.

What would you suggest?

Thank you,
mike

On Wed, Apr 27, 2011 at 8:18 AM, Vigneswaran R <vignesh@atc.tcs.com> wrote:
> On 04/27/2011 06:15 PM, Mike Hendrie wrote:
>>
>> I tried:
>> sudo  iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
>> REDIRECT --to- 8080
>> iptables -t nat -A POSTROUTING -s 172.20.0.0/16 -j MASQUERADE
>>
>> And still ended up with the same message
>
> You should not have both rules in place. Basically Andy's suggestion and my
> suggestion are based on two different assumptions. Please select one, based
> on your scenario.
>
> Scenario #1 Running Web Proxy
>
> If you are running a web proxy like squid, please ensure that it is
> listening on the correct port (seems, 8080 in your case), and configured
> correctly (to allow your subnet etc).
>
> Also, ensure that the machines on the LAN have the proxy settings in place,
> for various applications like web browser, email client etc.
>
> I am not sure why do you need an iptables rule in this scenario. Are you
> looking for something like, the machines on the LAN won't have proxy
> settings for different applications, but still have to reach Internet
> through web proxy?
>
> Scenario #2 Configuring server as the Internet Gateway
>
> If you want to configure your server as the Internet Gateway, please add the
> following iptables rule to the server,
>
> iptables -t nat -A POSTROUTING -s 172.20.0.0/16 -j MASQUERADE
>
> Also, ensure that all the machines in the LAN should point your server as
> the default gateway.
>
> ip ro add default via 172.20.1.1
>
> Here, I assume that your server's internal IP is 172.20.1.1.
>
>
> Regards,
> Vignesh
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Proxy Filter iptable Settings

[Mike Hendrie]

Is there a trick to getting a secureNAT connection to work through the
proxy server with the following iptables setting? Do I have to make
another rule like the one below for each port that is required?

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
--to-port 8080

Thank you

On Wed, Apr 27, 2011 at 7:45 AM, Mike Hendrie <mike@hendrienet.com> wrote:
> I tried:
> sudo  iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
> REDIRECT --to- 8080
> iptables -t nat -A POSTROUTING -s 172.20.0.0/16 -j MASQUERADE
>
> And still ended up with the same message:
>
> ERROR
> The requested URL could not be retrieved
>
> --------------------------------------------------------------------------------
>
> The following error was encountered while trying to retrieve the URL:
> http://twinlakes.k12.wi.us/
>
> Connection to 216.56.4.133 failed.
>
> The system returned: (110) Connection timed out
>
> The remote host or network may be down. Please try the request again.
>
> Your cache administrator is webmaster.
>
>
>
>
> --------------------------------------------------------------------------------
>
> Generated Wed, 27 Apr 2011 12:46:38 GMT by localhost (squid/2.7.STABLE9)
>
>
>
>
> On Wed, Apr 27, 2011 at 7:17 AM, Vigneswaran R <vignesh@atc.tcs.com> wrote:
>> On 04/27/2011 04:56 PM, Mike Hendrie wrote:
>>>
>>> Thanks for the response. Once I implemented your suggestion, I get the
>>> following error when trying to access the school's website from WITHIN
>>> the LAN. Why can it not find the URL?
>>>
>>> ERROR
>>>
>>> The requested URL could not be retrieved
>>>
>>> The following error was encountered while trying to retrieve the URL:
>>> http://www.twinlakes.k12.wi.us/
>>>
>>> Connection to 216.56.4.133 failed.
>>> The system returned: (110) Connection timed out
>>
>> I assume that you want to give access to the Internet for all the machines
>> in the LAN, through your "PROXY" server. ie., making the server an Internet
>> Gateway.
>>
>> If so, the following should work,
>>
>> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
>>
>> Here, replace the 192.168.1.0/24 with the correct IP address range used in
>> your LAN. Please ensure that all the machines have the default route
>> pointing to the server.
>>
>> This allows, all kinds of traffic like http, ftp, ssh etc., to the public
>> sites. If necessary, add further iptables rules to restrict this. Hope this
>> helps.
>>
>>
>> Regards,
>> Vignesh
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>

Re: Proxy Filter iptable Settings

[Andrew Beverley]

On Wed, 2011-04-27 at 08:41 -0500, Mike Hendrie wrote:
> Alright. Please let me explain.
> 
> I am implementing squid in the school.
> 
> Squid box 172.20.0.3
> All workstations gateway are 172.20.0.3
> All workstations proxy settings are 172.30.0.3:8080
> 

Ah, that makes more sense.

> The proxy settings are working fine for blocking content, however, I
> am having the following issues:
> 
> The school's web server is hosted locally.

Locally where? On the same server as Squid (172.20.0.3)?

>  When the workstations try
> to access the site via the public domain name, it fails.

Okay... well there could be a lot of reasons:

Your workstations will be requesting the URL from the Squid server which
will be resolving the public IP address of the website. The Squid server
will therefore need to access the public IP address, which comes back to
the question above as to where on the network the website is hosted.

You might need to set the DNS on the proxy server to resolve the website
to the local IP address.

Depending where you host your public DNS, you may also have to make
adjustments to that.

The web server itself will need to be listening on the right port to
serve the request - it may only be serving requests on the public facing
interface.

In short, more information is needed about your exact set up to answer
the question.

> Also, there are several applications the school uses. These
> applications range from port 5000-5005.
> 

Where are the applications hosted? On the internal network, on the
public internet, on the proxy server?

Andy

Re: Proxy Filter iptable Settings

[Vigneswaran R]

On 04/27/2011 07:11 PM, Mike Hendrie wrote:
> Squid box 172.20.0.3
> All workstations gateway are 172.20.0.3
> All workstations proxy settings are 172.30.0.3:8080
>
> The proxy settings are working fine for blocking content, however, I

Does it mean that the proxy server gives restricted access to the 
Internet for the machines behind it? Can they access the sites like 
google.com (or whatever sites allowed)?

> am having the following issues:
>
> The school's web server is hosted locally. When the workstations try
> to access the site via the public domain name, it fails.

If the answer is 'yes' to the above questions, your machines should be 
able to access the school website as well, through the public IP.

Please ensure that the machines in the LAN are not bypassing the proxy 
for your school website. Because, we tend to bypass proxy for the school 
website (in the browser settings), as it is hosted internally (on your 
LAN, probably on the same machine where squid is running).

Bypassing proxy works, if the Domain Name of your school website is 
resolved into the local address. But, in your case, the Domain Name is 
getting resolved into the public address. So, it should ideally go 
through the proxy server.

Also check, is there any existing iptables rule which is dropping packet 
from your proxy server to your webserver (even if they are on the same 
machine), unintentionally.


Regards,
Vignesh

Re: Proxy Filter iptable Settings

[Mike Hendrie]

All users can get to Google and do searches just fine. I am having
funny issues with the a couple of application.

I do not understand why I am having the below issues. Could this be
because of the iptables?


- The internal server, 172.20.0.13, hosting the web site does not
allow LAN clients to resolve the actual public DNS URL.
	It resolves to the correct public IP address, but it cannot find the
URL through the firewall. However, I can find the website fine from my
home computer.
	The LAN clients are able to use the LAN IP to see the website.

ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL:
http://www.twinlakes.k12.wi.us/
Connection to 216.56.4.133 failed.
The system returned: (110) Connection timed out


- There is FileMaker application that uses ports 5000 - 5005 to
connect to an external server that cannot find the external server.
??StatefulNAT translation.??
- There is a yearbook website that uploads photos to an external
server that does not allow the upload via the webpage. However, I can
upload the photos if I install the application local to the
workstation, the vendor had a local installation of the photo upload
available.


Infrastructure Information:

Server: Ubuntu 10.10
Proxy: squid
Gateway: All workstations are using this as the gateway
Filter content: squidGuard


iptable command used: iptables -t nat -A PREROUTING -i eth1 -p tcp
--dport 80 -j REDIRECT --to-port 8080
iptables -L: (listed at the end)
Firewall: ufw status enabled with the following ports opened....
UFW:
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
8080                       ALLOW       Anywhere
5900                       ALLOW       Anywhere
5001                       ALLOW       Anywhere
8530                       ALLOW       Anywhere
3389                       ALLOW       Anywhere
21                         ALLOW       Anywhere
5151                       ALLOW       Anywhere
53                         ALLOW       Anywhere
25                         ALLOW       Anywhere
5000                       ALLOW       Anywhere
5002                       ALLOW       Anywhere
5003                       ALLOW       Anywhere
5004                       ALLOW       Anywhere
5005                       ALLOW       Anywhere


------------------------------------------------------------------------------
iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ufw-before-logging-input  all  --  anywhere             anywhere
ufw-before-input  all  --  anywhere             anywhere
ufw-after-input  all  --  anywhere             anywhere
ufw-after-logging-input  all  --  anywhere             anywhere
ufw-reject-input  all  --  anywhere             anywhere
ufw-track-input  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ufw-before-logging-forward  all  --  anywhere             anywhere
ufw-before-forward  all  --  anywhere             anywhere
ufw-after-forward  all  --  anywhere             anywhere
ufw-after-logging-forward  all  --  anywhere             anywhere
ufw-reject-forward  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ufw-before-logging-output  all  --  anywhere             anywhere
ufw-before-output  all  --  anywhere             anywhere
ufw-after-output  all  --  anywhere             anywhere
ufw-after-logging-output  all  --  anywhere             anywhere
ufw-reject-output  all  --  anywhere             anywhere
ufw-track-output  all  --  anywhere             anywhere

Chain ufw-after-forward (1 references)
target     prot opt source               destination

Chain ufw-after-input (1 references)
target     prot opt source               destination
ufw-skip-to-policy-input  udp  --  anywhere             anywhere
     udp                             dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere
     udp                             dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere
     tcp                             dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere
     tcp                             dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere
     udp                             dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere
     udp                             dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere
     ADDR                            TYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit:
avg 3/min bu                            rst 10 LOG level warning
prefix `[UFW BLOCK] '

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit:
avg 3/min bu                            rst 10 LOG level warning
prefix `[UFW BLOCK] '

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination

Chain ufw-after-output (1 references)
target     prot opt source               destination

Chain ufw-before-forward (1 references)
target     prot opt source               destination
ufw-user-forward  all  --  anywhere             anywhere

Chain ufw-before-input (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTAB                            LISHED
ufw-logging-deny  all  --  anywhere             anywhere
state INVALI                            D
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     icmp --  anywhere             anywhere            icmp
destination-un                            reachable
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp
parameter-prob                            lem
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     udp  --  anywhere             anywhere            udp
spt:bootps dpt:                            bootpc
ufw-not-local  all  --  anywhere             anywhere
ACCEPT     all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
ACCEPT     all  --  anywhere             BASE-ADDRESS.MCAST.NET/4
ufw-user-input  all  --  anywhere             anywhere

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination

Chain ufw-before-output (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTAB                            LISHED
ufw-user-output  all  --  anywhere             anywhere

Chain ufw-logging-allow (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit:
avg 3/min bu                            rst 10 LOG level warning
prefix `[UFW ALLOW] '

Chain ufw-logging-deny (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere            state
INVALID limit                            : avg 3/min burst 10
LOG        all  --  anywhere             anywhere            limit:
avg 3/min bu                            rst 10 LOG level warning
prefix `[UFW BLOCK] '

Chain ufw-not-local (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere            ADDRTYPE
match dst-                            type LOCAL
RETURN     all  --  anywhere             anywhere            ADDRTYPE
match dst-                            type MULTICAST
RETURN     all  --  anywhere             anywhere            ADDRTYPE
match dst-                            type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere
limit: avg 3                            /min burst 10
DROP       all  --  anywhere             anywhere

Chain ufw-reject-forward (1 references)
target     prot opt source               destination

Chain ufw-reject-input (1 references)
target     prot opt source               destination

Chain ufw-reject-output (1 references)
target     prot opt source               destination

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ufw-track-input (1 references)
target     prot opt source               destination

Chain ufw-track-output (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            state NEW
ACCEPT     udp  --  anywhere             anywhere            state NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination

Chain ufw-user-input (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     udp  --  anywhere             anywhere            udp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere            udp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http-alt
ACCEPT     udp  --  anywhere             anywhere            udp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5900
ACCEPT     udp  --  anywhere             anywhere            udp dpt:5900
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5001
ACCEPT     udp  --  anywhere             anywhere            udp dpt:5001
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8530
ACCEPT     udp  --  anywhere             anywhere            udp dpt:8530
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:3389
ACCEPT     udp  --  anywhere             anywhere            udp dpt:3389
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:fsp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pcrd
ACCEPT     udp  --  anywhere             anywhere            udp dpt:5151
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:25
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5000
ACCEPT     udp  --  anywhere             anywhere            udp dpt:5000
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:rfe
ACCEPT     udp  --  anywhere             anywhere            udp dpt:rfe
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5003
ACCEPT     udp  --  anywhere             anywhere            udp dpt:5003
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5004
ACCEPT     udp  --  anywhere             anywhere            udp dpt:5004
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5005
ACCEPT     udp  --  anywhere             anywhere            udp dpt:5005

Chain ufw-user-limit (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit:
avg 3/min bu                            rst 5 LOG level warning prefix
`[UFW LIMIT BLOCK] '
REJECT     all  --  anywhere             anywhere
reject-with icmp-po                            rt-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination

Chain ufw-user-output (1 references)
target     prot opt source               destination





On Thu, Apr 28, 2011 at 1:36 AM, Vigneswaran R <vignesh@atc.tcs.com> wrote:
> On 04/27/2011 07:11 PM, Mike Hendrie wrote:
>>
>> Squid box 172.20.0.3
>> All workstations gateway are 172.20.0.3
>> All workstations proxy settings are 172.30.0.3:8080
>>
>> The proxy settings are working fine for blocking content, however, I
>
> Does it mean that the proxy server gives restricted access to the Internet
> for the machines behind it? Can they access the sites like google.com (or
> whatever sites allowed)?
>
>> am having the following issues:
>>
>> The school's web server is hosted locally. When the workstations try
>> to access the site via the public domain name, it fails.
>
> If the answer is 'yes' to the above questions, your machines should be able
> to access the school website as well, through the public IP.
>
> Please ensure that the machines in the LAN are not bypassing the proxy for
> your school website. Because, we tend to bypass proxy for the school website
> (in the browser settings), as it is hosted internally (on your LAN, probably
> on the same machine where squid is running).
>
> Bypassing proxy works, if the Domain Name of your school website is resolved
> into the local address. But, in your case, the Domain Name is getting
> resolved into the public address. So, it should ideally go through the proxy
> server.
>
> Also check, is there any existing iptables rule which is dropping packet
> from your proxy server to your webserver (even if they are on the same
> machine), unintentionally.
>
>
> Regards,
> Vignesh
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Proxy Filter iptable Settings

[Vigneswaran R]

Hi,

On 04/29/2011 03:13 AM, Mike Hendrie wrote:
> - There is FileMaker application that uses ports 5000 - 5005 to
> connect to an external server that cannot find the external server.
> ??StatefulNAT translation.??

To allow the FileMaker application (client) in your LAN to connect to an 
external server at port 5000-5005, I think, you need to have an ACCEPT 
entry in the FORWARD chain, instead of the INPUT chain (in your iptables).

The image in the following link may help you in understanding the packet 
flow between various chains in iptables.

<http://www.dqd.com/~mayoff/notes/linux/iptables.png>

I don't have any clue about the other problems that you have mentioned. 
Let us hope for some expert to help.


Regards,
Vignesh

Re: Proxy Filter iptable Settings

[Andrew Beverley]

On Thu, 2011-04-28 at 16:43 -0500, Mike Hendrie wrote:
> All users can get to Google and do searches just fine. I am having
> funny issues with the a couple of application.
> 
> I do not understand why I am having the below issues. Could this be
> because of the iptables?

Probably, although I would say more accurately because of UFW. It's
quite difficult to diagnose problems with automatically generated
iptables rules.

I would say you are better off disabling UFW, and starting with just the
rules you need to get everything working:

# Flush all tables
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F

# Set the default policy to ACCEPT:
iptables -P PREROUTING ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P POSTROUTING ACCEPT

# Enable packet forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setup NAT:
iptables -t nat -A POSTROUTING -o $ext_IF -j MASQUERADE

Once that works, you can then start blocking ports.

> - There is FileMaker application that uses ports 5000 - 5005 to
> connect to an external server that cannot find the external server.
> ??StatefulNAT translation.??

Looking at the following website, you'll need to allow more than just
those ports:

http://sixfriedrice.com/wp/filemaker-firewall/

But, as above, get the firewall working with all ports open, and then
start closing them.

> - There is a yearbook website that uploads photos to an external
> server that does not allow the upload via the webpage. However, I can
> upload the photos if I install the application local to the
> workstation, the vendor had a local installation of the photo upload
> available.

Ditto.

> iptable command used: iptables -t nat -A PREROUTING -i eth1 -p tcp
> --dport 80 -j REDIRECT --to-port 8080

Is this for the proxy? You don't need that rule if you have manually set
the proxy server for each client. That rule *forces* the proxy to be
used.

Andy

Re: Proxy Filter iptable Settings

[/dev/rob0]

On Sat, Apr 30, 2011 at 09:02:55AM +0100, Andrew Beverley wrote:
> On Thu, 2011-04-28 at 16:43 -0500, Mike Hendrie wrote:
> > All users can get to Google and do searches just fine. I am 
> > having funny issues with the a couple of application.
> > 
> > I do not understand why I am having the below issues. Could this 
> > be because of the iptables?
> 
> Probably, although I would say more accurately because of UFW.
> It's quite difficult to diagnose problems with automatically 
> generated iptables rules.

Indeed, and users of such rulesets should be asking elsewhere (at the 
provider of the ruleset) for support.

> I would say you are better off disabling UFW, and starting with 
> just the rules you need to get everything working:

Yes, but iptables-restore(8) is the recommended means to apply a 
ruleset.

> # Flush all tables
> iptables -t nat -F
> iptables -t mangle -F
> iptables -t filter -F
> 
> # Set the default policy to ACCEPT:
> iptables -P PREROUTING ACCEPT

The default table, filter, does not have a PREROUTING chain.

> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P POSTROUTING ACCEPT

The default table, filter, does not have a POSTROUTING chain.

> # Enable packet forwarding:
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> # Setup NAT:
> iptables -t nat -A POSTROUTING -o $ext_IF -j MASQUERADE
> 
> Once that works, you can then start blocking ports.
> 
> > - There is FileMaker application that uses ports 5000 - 5005 to
> > connect to an external server that cannot find the external server.
> > ??StatefulNAT translation.??
> 
> Looking at the following website, you'll need to allow more than just
> those ports:
> 
> http://sixfriedrice.com/wp/filemaker-firewall/
> 
> But, as above, get the firewall working with all ports open, and 
> then start closing them.

Otherwise I agree with what you have said.
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Re: Proxy Filter iptable Settings

[Mike Hendrie]

Trying to apply:
iptables -t nat -A POSTROUTING -o $ext_IF -j MASQUERADE

I get the following error -
Bad argument `MASQUERADE'
Try `iptables -h' or 'iptables --help' for more information.

It does not like the command you suggested.....

Mike

On Sat, Apr 30, 2011 at 11:50 AM, /dev/rob0 <rob0@gmx.co.uk> wrote:
> On Sat, Apr 30, 2011 at 09:02:55AM +0100, Andrew Beverley wrote:
>> On Thu, 2011-04-28 at 16:43 -0500, Mike Hendrie wrote:
>> > All users can get to Google and do searches just fine. I am
>> > having funny issues with the a couple of application.
>> >
>> > I do not understand why I am having the below issues. Could this
>> > be because of the iptables?
>>
>> Probably, although I would say more accurately because of UFW.
>> It's quite difficult to diagnose problems with automatically
>> generated iptables rules.
>
> Indeed, and users of such rulesets should be asking elsewhere (at the
> provider of the ruleset) for support.
>
>> I would say you are better off disabling UFW, and starting with
>> just the rules you need to get everything working:
>
> Yes, but iptables-restore(8) is the recommended means to apply a
> ruleset.
>
>> # Flush all tables
>> iptables -t nat -F
>> iptables -t mangle -F
>> iptables -t filter -F
>>
>> # Set the default policy to ACCEPT:
>> iptables -P PREROUTING ACCEPT
>
> The default table, filter, does not have a PREROUTING chain.
>
>> iptables -P INPUT ACCEPT
>> iptables -P OUTPUT ACCEPT
>> iptables -P FORWARD ACCEPT
>> iptables -P POSTROUTING ACCEPT
>
> The default table, filter, does not have a POSTROUTING chain.
>
>> # Enable packet forwarding:
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>
>> # Setup NAT:
>> iptables -t nat -A POSTROUTING -o $ext_IF -j MASQUERADE
>>
>> Once that works, you can then start blocking ports.
>>
>> > - There is FileMaker application that uses ports 5000 - 5005 to
>> > connect to an external server that cannot find the external server.
>> > ??StatefulNAT translation.??
>>
>> Looking at the following website, you'll need to allow more than just
>> those ports:
>>
>> http://sixfriedrice.com/wp/filemaker-firewall/
>>
>> But, as above, get the firewall working with all ports open, and
>> then start closing them.
>
> Otherwise I agree with what you have said.
> --
>    Offlist mail to this address is discarded unless
>    "/dev/rob0" or "not-spam" is in Subject: header
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Proxy Filter iptable Settings

[Andrew Beverley]

Quoting Mike Hendrie <mike@hendrienet.com>:
>>> # Setup NAT:
>>> iptables -t nat -A POSTROUTING -o $ext_IF -j MASQUERADE
>>>
> Trying to apply:
> iptables -t nat -A POSTROUTING -o $ext_IF -j MASQUERADE
>
> I get the following error -
> Bad argument `MASQUERADE'

Have you replaced $ext_IF with your external interface?

As an aside, can you please stop top posting? Thanks.

Andy

Re: Proxy Filter iptable Settings

[Jan Engelhardt]

On Saturday 2011-04-30 19:47, Mike Hendrie wrote:

>Trying to apply:
>iptables -t nat -A POSTROUTING -o $ext_IF -j MASQUERADE
>
>I get the following error -
>Bad argument `MASQUERADE'
>Try `iptables -h' or 'iptables --help' for more information.
>
>It does not like the command you suggested.....

Well - rule of thumb: *always* quote your "$arguments" unless they 
contain separators and wish to deliberately split it...

Re: Proxy Filter iptable Settings

[Mike Hendrie]

Thank you, it worked!

Now to lock it down? I should just create rules to block ports?

Mike

Re: Proxy Filter iptable Settings

[/dev/rob0]

[ Top-posting fixed. Please do not do that. ]

On Sat, Apr 30, 2011 at 12:47:40PM -0500, Mike Hendrie wrote:
> > On Sat, Apr 30, 2011 at 09:02:55AM +0100, Andrew Beverley wrote:
> >> # Setup NAT:
> >> iptables -t nat -A POSTROUTING -o $ext_IF -j MASQUERADE
> 
> Trying to apply:
> iptables -t nat -A POSTROUTING -o $ext_IF -j MASQUERADE
> 
> I get the following error -
> Bad argument `MASQUERADE'
> Try `iptables -h' or 'iptables --help' for more information.
> 
> It does not like the command you suggested.....

You are in over your head here. Again:

> On Sat, Apr 30, 2011 at 11:50 AM, /dev/rob0 <rob0@gmx.co.uk> wrote:
> > On Sat, Apr 30, 2011 at 09:02:55AM +0100, Andrew Beverley wrote:
> >> On Thu, 2011-04-28 at 16:43 -0500, Mike Hendrie wrote:
> >> > All users can get to Google and do searches just fine. I am
> >> > having funny issues with the a couple of application.
> >> >
> >> > I do not understand why I am having the below issues. Could 
> >> > this be because of the iptables?
> >>
> >> Probably, although I would say more accurately because of UFW.
> >> It's quite difficult to diagnose problems with automatically
> >> generated iptables rules.
> >
> > Indeed, and users of such rulesets should be asking elsewhere (at 
> > the provider of the ruleset) for support.

... this is not the place to get UFW support. Andy gave you a good 
(mostly good :) ) answer which you do not seem to have enough 
experience (as a Unix/Linux user) to understand.

The "$string" construct is a sh(1) shell variable. In Netfilter 
terms, it is common to refer to the *ext*ernal *I*nter*f*ace as a 
shell variable; "ext" for "external", "_" for space, and "IF" for 
"interface".

In order to benefit from help on this list, you will need to be able 
to deal in such abstractions. It is not possible to give you literal 
"type this and it will work" instructions.

You'll definitely need more experience to be able to run the proxy 
server you're hoping to use. I recommend that you concentrate on 
learning basic user skills before trying complex system 
administration tasks.

Good luck.
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Re: Proxy Filter iptable Settings

[Andrew Beverley]

On Sat, 2011-04-30 at 13:23 -0500, Mike Hendrie wrote:
> Thank you, it worked!
> 

Okay, so you didn't top post, but please leave a bit of message so that
it makes sense to anyone joining the conversation <sigh>

> Now to lock it down? I should just create rules to block ports?
> 

Well it depends how paranoid you are. You might just want to block new
incoming connections to the local network:

iptables -P FORWARD DROP
iptables -A FORWARD -i $ext_IF -o $int_IF \
	-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $int_IF -o $ext_IF -j ACCEPT

You'd probably also want to drop all incoming connections to the server
apart from your web server:

iptables -A INPUT -p tcp --dport 80 -i $ext_IF -j ACCEPT
iptables -A INPUT -i $ext_IF -j DROP

As Rob says though, you're probably best going through a few basic
tutorials first - you'll be up to speed in no time. Also check out
iptables-save and iptables-restore.

Let's hope I haven't made any more mistakes that Rob is going to spot :)

Andy

Re: Proxy Filter iptable Settings

[/dev/rob0]

On Sat, Apr 30, 2011 at 08:08:55PM +0100, Andrew Beverley wrote:
> On Sat, 2011-04-30 at 13:23 -0500, Mike Hendrie wrote:
> > Now to lock it down? I should just create rules to block ports?
> 
> Well it depends how paranoid you are. You might just want to block 
> new incoming connections to the local network:
> 
> iptables -P FORWARD DROP
> iptables -A FORWARD -i $ext_IF -o $int_IF \
> 	-m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $int_IF -o $ext_IF -j ACCEPT
> 
> You'd probably also want to drop all incoming connections to the 
> server apart from your web server:
> 
> iptables -A INPUT -p tcp --dport 80 -i $ext_IF -j ACCEPT
> iptables -A INPUT -i $ext_IF -j DROP
> 
> As Rob says though, you're probably best going through a few basic
> tutorials first - you'll be up to speed in no time. Also check out
> iptables-save and iptables-restore.
> 
> Let's hope I haven't made any more mistakes that Rob is going to 
> spot :)

Hehe ... well ... I would suggest that you look at the enhanced 
feature set of -m conntrack --ctstate vs. -m state --state. That's 
not a mistake, though; that is preference. :)
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Re: Proxy Filter iptable Settings

[Mike Hendrie]

Thanks guys.

Alright. You are correct. I am new to Linux. I have been blind for a
long time and am learning exponentially. Thanks for your help.

I was able to get the applications working this weekend. (so proud,yeah!)

However, I got my A$$ handed to me this morning with massive input
errors from the LAN side.

I am doing the following, can you provide me any assistance?
eth2=WAN
eth1=LAN

/etc/ufw/before.rules
# nat Table rules
*nat
: POSTROUTING ACCEPT [0:0]
# Forward traffic from eth2 through eth0.
-A POSTROUTING -s 172.20.0.0/16 -o eth2 -j MASQUERADE
-A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to- 8080
#iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT


UFW logging:
Below is the copy of BLOCKed content, from this mornings headache.
XXX.XXX.XXX.XXX= eth2 , public IP address. I replaces to protect the innocent.

sudo vi UFWMay3BLOCK.log
May  3 09:16:36 squidGuard kernel: [64639.938264] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=209.85.225.83
DST=xxx.xxx.xxxx LEN=1263 TOS=0x00 PREC=0x00 TTL=55 ID=39420 PROTO=TCP
SPT=443 DPT=1856 WINDOW=16260 RES=0x00 ACK PSH URGP=0
May  3 09:16:45 squidGuard kernel: [64649.105950] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63006 DF
PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0
May  3 09:16:45 squidGuard kernel: [64649.107154] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63007 DF
PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0
May  3 09:16:45 squidGuard kernel: [64649.108390] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63008 DF
PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0
May  3 09:16:45 squidGuard kernel: [64649.109614] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63009 DF
PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0
May  3 09:16:45 squidGuard kernel: [64649.110842] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63010 DF
PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0
May  3 09:16:45 squidGuard kernel: [64649.112078] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63011 DF
PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0
May  3 09:16:45 squidGuard kernel: [64649.113306] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63012 DF
PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0
May  3 09:16:45 squidGuard kernel: [64649.114539] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63013 DF
PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0
May  3 09:16:45 squidGuard kernel: [64649.115768] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63014 DF
PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0
May  3 09:16:45 squidGuard kernel: [64649.118231] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63015 DF
PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0
May  3 09:16:45 squidGuard kernel: [64649.119464] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63016 DF
PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0
May  3 09:16:45 squidGuard kernel: [64649.121923] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63017 DF
PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0
May  3 09:16:45 squidGuard kernel: [64649.125610] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63018 DF
PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK PSH FIN URGP=0
May  3 09:16:46 squidGuard kernel: [64649.221610] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=74.125.95.97
DST=xxx.xxx.xxxx LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=10841 PROTO=TCP
SPT=443 DPT=1790 WINDOW=11219 RES=0x00 ACK FIN URGP=0
May  3 09:16:46 squidGuard kernel: [64649.929228] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=209.85.225.83
DST=xxx.xxx.xxxx LEN=1263 TOS=0x00 PREC=0x00 TTL=55 ID=39421 PROTO=TCP
SPT=443 DPT=1856 WINDOW=16260 RES=0x00 ACK PSH URGP=0
May  3 09:16:55 squidGuard kernel: [64659.201813] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=74.125.95.97
DST=xxx.xxx.xxxx LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=10842 PROTO=TCP
SPT=443 DPT=1790 WINDOW=11219 RES=0x00 ACK FIN URGP=0
May  3 09:16:56 squidGuard kernel: [64659.934100] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=209.85.225.83
DST=xxx.xxx.xxxx LEN=1263 TOS=0x00 PREC=0x00 TTL=55 ID=39422 PROTO=TCP
SPT=443 DPT=1856 WINDOW=16260 RES=0x00 ACK PSH URGP=0
May  3 09:16:58 squidGuard kernel: [64661.599044] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=199.34.228.106
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=52 ID=63019 DF
PROTO=TCP SPT=80 DPT=50808 WINDOW=60 RES=0x00 ACK URGP=0
May  3 09:17:05 squidGuard kernel: [64669.158398] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=74.125.95.97
DST=xxx.xxx.xxxx LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=10843 PROTO=TCP
SPT=443 DPT=1790 WINDOW=11219 RES=0x00 ACK FIN URGP=0
May  3 09:17:06 squidGuard kernel: [64669.978711] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=209.85.225.83
DST=xxx.xxx.xxxx LEN=1263 TOS=0x00 PREC=0x00 TTL=55 ID=39423 PROTO=TCP
SPT=443 DPT=1856 WINDOW=16260 RES=0x00 ACK PSH URGP=0
May  3 09:17:07 squidGuard kernel: [64671.174946] [UFW BLOCK] IN=eth2
OUT= MAC=00:15:5d:04:81:10:00:50:73:f6:f4:a0:08:00 SRC=65.54.95.93
DST=xxx.xxx.xxxx LEN=1500 TOS=0x00 PREC=0x00 TTL=56 ID=15075 DF
PROTO=TCP SPT=80 DPT=52652 WINDOW=6335 RES=0x00 ACK URGP=0

Thanks for your input

On Sat, Apr 30, 2011 at 2:24 PM, /dev/rob0 <rob0@gmx.co.uk> wrote:
> On Sat, Apr 30, 2011 at 08:08:55PM +0100, Andrew Beverley wrote:
>> On Sat, 2011-04-30 at 13:23 -0500, Mike Hendrie wrote:
>> > Now to lock it down? I should just create rules to block ports?
>>
>> Well it depends how paranoid you are. You might just want to block
>> new incoming connections to the local network:
>>
>> iptables -P FORWARD DROP
>> iptables -A FORWARD -i $ext_IF -o $int_IF \
>>       -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -A FORWARD -i $int_IF -o $ext_IF -j ACCEPT
>>
>> You'd probably also want to drop all incoming connections to the
>> server apart from your web server:
>>
>> iptables -A INPUT -p tcp --dport 80 -i $ext_IF -j ACCEPT
>> iptables -A INPUT -i $ext_IF -j DROP
>>
>> As Rob says though, you're probably best going through a few basic
>> tutorials first - you'll be up to speed in no time. Also check out
>> iptables-save and iptables-restore.
>>
>> Let's hope I haven't made any more mistakes that Rob is going to
>> spot :)
>
> Hehe ... well ... I would suggest that you look at the enhanced
> feature set of -m conntrack --ctstate vs. -m state --state. That's
> not a mistake, though; that is preference. :)