* How to check why HTTP proxy is not accessible from outside?
@ 2018-02-10 5:28 Peng Yu
2018-02-11 21:03 ` SV: " André Paulsberg-Csibi (IBM Consultant)
0 siblings, 1 reply; 3+ messages in thread
From: Peng Yu @ 2018-02-10 5:28 UTC (permalink / raw)
To: netfilter
Hi,
I have squid HTTP proxy running on both of the following servers
(server 1 and 2). But the proxy service on server1 can not be accessed
from outside.
I am not familiar with the output of iptables. Could the difference
explain why proxy on server1 is not accessible? Thanks.
server1:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp
dpt:smtp reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:http reject-with icmp-port-unreachable
ACCEPT tcp -- localhost anywhere tcp dpt:5900
ACCEPT tcp -- localhost anywhere tcp dpt:5901
ACCEPT tcp -- localhost anywhere tcp dpt:5902
ACCEPT tcp -- localhost anywhere tcp dpt:5903
ACCEPT tcp -- localhost anywhere tcp dpt:5904
ACCEPT tcp -- localhost anywhere tcp dpt:5905
ACCEPT tcp -- localhost anywhere tcp dpt:5906
ACCEPT tcp -- localhost anywhere tcp dpt:5907
REJECT tcp -- anywhere anywhere tcp
dpt:5900 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5901 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5902 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5903 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5904 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5905 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5906 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5907 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:imap2 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:imaps reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
server2:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- localhost anywhere tcp dpt:5900
ACCEPT tcp -- localhost anywhere tcp dpt:5901
ACCEPT tcp -- localhost anywhere tcp dpt:5902
ACCEPT tcp -- localhost anywhere tcp dpt:5903
ACCEPT tcp -- localhost anywhere tcp dpt:5904
ACCEPT tcp -- localhost anywhere tcp dpt:5905
ACCEPT tcp -- localhost anywhere tcp dpt:5906
ACCEPT tcp -- localhost anywhere tcp dpt:5907
REJECT tcp -- anywhere anywhere tcp
dpt:5900 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5901 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5902 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5903 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5904 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5905 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5906 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5907 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:smtp reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:imap2 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:imaps reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
--
Regards,
Peng
^ permalink raw reply [flat|nested] 3+ messages in thread
* SV: How to check why HTTP proxy is not accessible from outside?
2018-02-10 5:28 How to check why HTTP proxy is not accessible from outside? Peng Yu
@ 2018-02-11 21:03 ` André Paulsberg-Csibi (IBM Consultant)
2018-02-11 22:20 ` Neal P. Murphy
0 siblings, 1 reply; 3+ messages in thread
From: André Paulsberg-Csibi (IBM Consultant) @ 2018-02-11 21:03 UTC (permalink / raw)
To: 'Peng Yu', netfilter@vger.kernel.org
Hi ,
Even if you have not explained how this is setup , it seems very unlikely the issue with server1 could be the iptables FW ...
... I can only GUESS here since there is not enough data to be 100% sure .
However there are not really any relevant difference in the rules for server1 and server2 , and the ruleset is not setup in what I would call best practice .
In essence both rules allow for everything , except SMTP , HTTP , IMAP2 and IMAPS
Unless your SQUID PROXY setup is using one of the 4 ports associated with the 4 services ( and normally it would not ) it should not be blocked .
REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:imap2 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:imaps reject-with icmp-port-unreachable
From what I can understand all other rules are not needed / since they are covered by a DEFAULT ACCEPT in this "SETUP"
You can normally verify this if you use the syntax
"sudo iptables -nvL"
This will show you hit counters statistics
If you then try from outside "telnet server1 3128" ( you may need to change the port 3128 with whatever port your squid setup uses , but 3128 is normally the default )
Then when you another "sudo iptables -nvL" right after and none of the counters have increase for any DROP / REJECT rule
Best regards
André Paulsberg-Csibi
Senior Network Engineer
IBM Services AS
-----Opprinnelig melding-----
Fra: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] På vegne av Peng Yu
Sendt: l√∏rdag 10. februar 2018 06.28
Til: netfilter@vger.kernel.org
Emne: How to check why HTTP proxy is not accessible from outside?
Hi,
I have squid HTTP proxy running on both of the following servers
(server 1 and 2). But the proxy service on server1 can not be accessed
from outside.
I am not familiar with the output of iptables. Could the difference
explain why proxy on server1 is not accessible? Thanks.
server1:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp
dpt:smtp reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:http reject-with icmp-port-unreachable
ACCEPT tcp -- localhost anywhere tcp dpt:5900
ACCEPT tcp -- localhost anywhere tcp dpt:5901
ACCEPT tcp -- localhost anywhere tcp dpt:5902
ACCEPT tcp -- localhost anywhere tcp dpt:5903
ACCEPT tcp -- localhost anywhere tcp dpt:5904
ACCEPT tcp -- localhost anywhere tcp dpt:5905
ACCEPT tcp -- localhost anywhere tcp dpt:5906
ACCEPT tcp -- localhost anywhere tcp dpt:5907
REJECT tcp -- anywhere anywhere tcp
dpt:5900 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5901 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5902 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5903 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5904 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5905 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5906 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5907 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:imap2 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:imaps reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
server2:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- localhost anywhere tcp dpt:5900
ACCEPT tcp -- localhost anywhere tcp dpt:5901
ACCEPT tcp -- localhost anywhere tcp dpt:5902
ACCEPT tcp -- localhost anywhere tcp dpt:5903
ACCEPT tcp -- localhost anywhere tcp dpt:5904
ACCEPT tcp -- localhost anywhere tcp dpt:5905
ACCEPT tcp -- localhost anywhere tcp dpt:5906
ACCEPT tcp -- localhost anywhere tcp dpt:5907
REJECT tcp -- anywhere anywhere tcp
dpt:5900 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5901 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5902 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5903 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5904 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5905 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5906 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:5907 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:smtp reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:http reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:imap2 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp
dpt:imaps reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
--
Regards,
Peng
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to check why HTTP proxy is not accessible from outside?
2018-02-11 21:03 ` SV: " André Paulsberg-Csibi (IBM Consultant)
@ 2018-02-11 22:20 ` Neal P. Murphy
0 siblings, 0 replies; 3+ messages in thread
From: Neal P. Murphy @ 2018-02-11 22:20 UTC (permalink / raw)
Cc: netfilter@vger.kernel.org
[send it to the list this time]
The group of ACCEPTs allows packets to ports 5900-5907 from localhost to localhost because this is the INPUT chain. The group of REJECTs blocks packets to ports 5900-5907, smtp, http, imap2 and imaps from anywhere to localhost).
He didn't say how he is accessing his proxy. Which port? HTTP or HTTPS? Do his proxies have public addresses? Is there a NAT firewall between his two servers and the internet? If so, does that firewall allow traffic to server2?
If these are all the rules, I don't see any netfilter-related reason why server1 does not work while server does work.
N
On Sun, 11 Feb 2018 21:03:04 +0000
André Paulsberg-Csibi (IBM Consultant) <Andre.Paulsberg-Csibi@evry.com> wrote:
> Hi ,
>
> Even if you have not explained how this is setup , it seems very unlikely the issue with server1 could be the iptables FW ...
> ... I can only GUESS here since there is not enough data to be 100% sure .
> However there are not really any relevant difference in the rules for server1 and server2 , and the ruleset is not setup in what I would call best practice .
> In essence both rules allow for everything , except SMTP , HTTP , IMAP2 and IMAPS
> Unless your SQUID PROXY setup is using one of the 4 ports associated with the 4 services ( and normally it would not ) it should not be blocked .
>
> REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp dpt:imap2 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp dpt:imaps reject-with icmp-port-unreachable
>
> From what I can understand all other rules are not needed / since they are covered by a DEFAULT ACCEPT in this "SETUP"
>
> You can normally verify this if you use the syntax
>
> "sudo iptables -nvL"
> This will show you hit counters statistics
> If you then try from outside "telnet server1 3128" ( you may need to change the port 3128 with whatever port your squid setup uses , but 3128 is normally the default )
>
> Then when you another "sudo iptables -nvL" right after and none of the counters have increase for any DROP / REJECT rule
>
>
>
> Best regards
> André Paulsberg-Csibi
> Senior Network Engineer
> IBM Services AS
>
> -----Opprinnelig melding-----
> Fra: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] På vegne av Peng Yu
> Sendt: lørdag 10. februar 2018 06.28
> Til: netfilter@vger.kernel.org
> Emne: How to check why HTTP proxy is not accessible from outside?
>
> Hi,
>
> I have squid HTTP proxy running on both of the following servers
> (server 1 and 2). But the proxy service on server1 can not be accessed
> from outside.
>
> I am not familiar with the output of iptables. Could the difference
> explain why proxy on server1 is not accessible? Thanks.
>
> server1:~$ sudo iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> REJECT tcp -- anywhere anywhere tcp
> dpt:smtp reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:http reject-with icmp-port-unreachable
> ACCEPT tcp -- localhost anywhere tcp dpt:5900
> ACCEPT tcp -- localhost anywhere tcp dpt:5901
> ACCEPT tcp -- localhost anywhere tcp dpt:5902
> ACCEPT tcp -- localhost anywhere tcp dpt:5903
> ACCEPT tcp -- localhost anywhere tcp dpt:5904
> ACCEPT tcp -- localhost anywhere tcp dpt:5905
> ACCEPT tcp -- localhost anywhere tcp dpt:5906
> ACCEPT tcp -- localhost anywhere tcp dpt:5907
> REJECT tcp -- anywhere anywhere tcp
> dpt:5900 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5901 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5902 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5903 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5904 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5905 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5906 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5907 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:imap2 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:imaps reject-with icmp-port-unreachable
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> server2:~$ sudo iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT tcp -- localhost anywhere tcp dpt:5900
> ACCEPT tcp -- localhost anywhere tcp dpt:5901
> ACCEPT tcp -- localhost anywhere tcp dpt:5902
> ACCEPT tcp -- localhost anywhere tcp dpt:5903
> ACCEPT tcp -- localhost anywhere tcp dpt:5904
> ACCEPT tcp -- localhost anywhere tcp dpt:5905
> ACCEPT tcp -- localhost anywhere tcp dpt:5906
> ACCEPT tcp -- localhost anywhere tcp dpt:5907
> REJECT tcp -- anywhere anywhere tcp
> dpt:5900 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5901 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5902 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5903 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5904 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5905 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5906 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:5907 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:smtp reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:http reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:imap2 reject-with icmp-port-unreachable
> REJECT tcp -- anywhere anywhere tcp
> dpt:imaps reject-with icmp-port-unreachable
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-02-11 22:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-10 5:28 How to check why HTTP proxy is not accessible from outside? Peng Yu
2018-02-11 21:03 ` SV: " André Paulsberg-Csibi (IBM Consultant)
2018-02-11 22:20 ` Neal P. Murphy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox