From: "Neal P. Murphy" <neal.p.murphy@alum.wpi.edu>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: How to check why HTTP proxy is not accessible from outside?
Date: Sun, 11 Feb 2018 17:20:51 -0500 [thread overview]
Message-ID: <20180211172051.53d60163@playground> (raw)
In-Reply-To: <f095e07f58414b00b4dddc3776f0f64e@CCDEX023.corp.corpcommon.com>
[send it to the list this time]
The group of ACCEPTs allows packets to ports 5900-5907 from localhost to localhost because this is the INPUT chain. The group of REJECTs blocks packets to ports 5900-5907, smtp, http, imap2 and imaps from anywhere to localhost).
He didn't say how he is accessing his proxy. Which port? HTTP or HTTPS? Do his proxies have public addresses? Is there a NAT firewall between his two servers and the internet? If so, does that firewall allow traffic to server2?
If these are all the rules, I don't see any netfilter-related reason why server1 does not work while server does work.
N
On Sun, 11 Feb 2018 21:03:04 +0000
André Paulsberg-Csibi (IBM Consultant) <Andre.Paulsberg-Csibi@evry.com> wrote:
> Hi ,
>
> Even if you have not explained how this is setup , it seems very unlikely the issue with server1 could be the iptables FW ...
> ... I can only GUESS here since there is not enough data to be 100% sure .
> However there are not really any relevant difference in the rules for server1 and server2 , and the ruleset is not setup in what I would call best practice .
> In essence both rules allow for everything , except SMTP , HTTP , IMAP2 and IMAPS
> Unless your SQUID PROXY setup is using one of the 4 ports associated with the 4 services ( and normally it would not ) it should not be blocked .
>
> REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp dpt:imap2 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp dpt:imaps reject-with icmp-port-unreachable
>
> From what I can understand all other rules are not needed / since they are covered by a DEFAULT ACCEPT in this "SETUP"
>
> You can normally verify this if you use the syntax
>
> "sudo iptables -nvL"
> This will show you hit counters statistics
> If you then try from outside "telnet server1 3128" ( you may need to change the port 3128 with whatever port your squid setup uses , but 3128 is normally the default )
>
> Then when you another "sudo iptables -nvL" right after and none of the counters have increase for any DROP / REJECT rule
>
>
>
> Best regards
> André Paulsberg-Csibi
> Senior Network Engineer
> IBM Services AS
>
> -----Opprinnelig melding-----
> Fra: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] På vegne av Peng Yu
> Sendt: lørdag 10. februar 2018 06.28
> Til: netfilter@vger.kernel.org
> Emne: How to check why HTTP proxy is not accessible from outside?
>
> Hi,
>
> I have squid HTTP proxy running on both of the following servers
> (server 1 and 2). But the proxy service on server1 can not be accessed
> from outside.
>
> I am not familiar with the output of iptables. Could the difference
> explain why proxy on server1 is not accessible? Thanks.
>
> server1:~$ sudo iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> REJECT tcp -- anywhere anywhere tcp
> dpt:smtp reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:http reject-with icmp-port-unreachable
> ACCEPT tcp -- localhost anywhere tcp dpt:5900
> ACCEPT tcp -- localhost anywhere tcp dpt:5901
> ACCEPT tcp -- localhost anywhere tcp dpt:5902
> ACCEPT tcp -- localhost anywhere tcp dpt:5903
> ACCEPT tcp -- localhost anywhere tcp dpt:5904
> ACCEPT tcp -- localhost anywhere tcp dpt:5905
> ACCEPT tcp -- localhost anywhere tcp dpt:5906
> ACCEPT tcp -- localhost anywhere tcp dpt:5907
> REJECT tcp -- anywhere anywhere tcp
> dpt:5900 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5901 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5902 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5903 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5904 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5905 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5906 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5907 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:imap2 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:imaps reject-with icmp-port-unreachable
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> server2:~$ sudo iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT tcp -- localhost anywhere tcp dpt:5900
> ACCEPT tcp -- localhost anywhere tcp dpt:5901
> ACCEPT tcp -- localhost anywhere tcp dpt:5902
> ACCEPT tcp -- localhost anywhere tcp dpt:5903
> ACCEPT tcp -- localhost anywhere tcp dpt:5904
> ACCEPT tcp -- localhost anywhere tcp dpt:5905
> ACCEPT tcp -- localhost anywhere tcp dpt:5906
> ACCEPT tcp -- localhost anywhere tcp dpt:5907
> REJECT tcp -- anywhere anywhere tcp
> dpt:5900 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5901 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5902 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5903 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5904 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5905 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5906 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5907 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:smtp reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:imap2 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:imaps reject-with icmp-port-unreachable
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
prev parent reply other threads:[~2018-02-11 22:20 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-10 5:28 How to check why HTTP proxy is not accessible from outside? Peng Yu
2018-02-11 21:03 ` SV: " André Paulsberg-Csibi (IBM Consultant)
2018-02-11 22:20 ` Neal P. Murphy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180211172051.53d60163@playground \
--to=neal.p.murphy@alum.wpi.edu \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox