Results 1 to 2 of 2

Thread: iptables, squid

  1. #1
    Junior Member
    Join Date
    Jul 2011
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default iptables, squid

    Hello all

    I have a little network as described below.

    A Linux router/proxy with the External interface: 192.168.121.240
    Internal interface: 10.0.0.2 and a DMZ interface: 10.1.0.2

    On the DMZ i have a linux with ip: 10.1.0.10 and apache2, php5, mysql and samba installed.

    On the internal interface i have the ip: 10.0.0.3, 10.0.0.4, 10.0.0.5, with3 windows 2003 servers, a Linux mailserver with the ip: 10.0.0.6 and a windows xp with the ip: 10.0.0.20

    This network is connected to a other network that has a proxy server with the ip: 192.168.1.253

    Now from the internal network i can go to google.com
    But when i type in: //10.1.0.10/phpinfo.php it wont connect to the apache2 server on the dmz.
    And when i type: //10.0.0.6/webmail/login it also wont go to the webpage even do its on the same network.

    Now my question is did i do my iptables or squid wrong or both ?

    (did type http: before the web addresses but than its seen as a link and then i cant post)

    i post the iptables and squid.conf below



    Greets Davano

    Iptables:
    Code:
    EXT_IFACE=eth0
    DMZ_IFACE=eth1
    DMZ_ADDR=10.1.0.0/24
    INT_IFACE=eth2
    INT_ADDR=10.0.0.0/24
    WEB_SERVER=10.1.0.10
    echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
    echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
    echo 1 > /proc/sys/net/ipv4/ip_forward
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
    iptables -F
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -A INPUT -j DROP
    iptables -A OUTPUT -j DROP
    iptables -A FORWARD -j DROP
    iptables -N int-dmz
    iptables -N ext-dmz
    iptables -N int-ext
    iptables -N dmz-int
    iptables -N dmz-ext
    iptables -N ext-int
    iptables -N icmp-acc
    iptables -A FORWARD -m state --state INVALID -j DROP
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.121.240
    iptables -t nat -A PREROUTING -p tcp -d $WEB_SERVER --dport http -j DNAT --to $WEB_SERVER:80
    iptables -t nat -A PREROUTING -p tcp -d $WEB_SERVER --dport https -j DNAT --to $WEB_SERVER:443
    iptables -A ext-dmz -p tcp --dport http -d $WEB_SERVER -j ACCEPT
    iptables -A FORWARD -s $INT_ADDR -o $DMZ_IFACE -j int-dmz
    iptables -A FORWARD -s $INT_ADDR -o $EXT_IFACE -j int-ext
    iptables -A FORWARD -s $DMZ_ADDR -o $EXT_IFACE -j dmz-ext
    iptables -A FORWARD -s $DMZ_ADDR -o $INT_IFACE -j dmz-int
    iptables -A FORWARD -o $DMZ_IFACE -j ext-dmz
    iptables -A FORWARD -o $INT_IFACE -j ext-int
    iptables -A FORWARD -j LOG --log-prefix "chain-jump"
    iptables -A FORWARD -j DROP
    iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
    iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
    iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
    iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
    iptables -A icmp-acc -j LOG --log-prefix "icmp-acc"
    iptables -A icmp-acc -j DROP
    iptables -A int-dmz -p udp --dport domain -j ACCEPT
    iptables -A int-dmz -p tcp --dport domain -j ACCEPT
    iptables -A int-dmz -p tcp --dport www -j ACCEPT
    iptables -A int-dmz -p tcp --dport https -j ACCEPT
    iptables -A int-dmz -p tcp --dport ssh -j ACCEPT
    iptables -A int-dmz -p tcp --dport telnet -j ACCEPT
    iptables -A int-dmz -p tcp --dport auth -j ACCEPT
    iptables -A int-dmz -p tcp --dport ftp -j ACCEPT
    iptables -A int-dmz -p icmp -j icmp-acc
    iptables -A int-dmz -j LOG --log-prefix "int-dmz"
    iptables -A int-dmz -j DROP
    iptables -A ext-dmz -p udp --dport domain -j ACCEPT
    iptables -A ext-dmz -p tcp --dport domain -j ACCEPT
    iptables -A ext-dmz -p tcp --dport www -j ACCEPT
    iptables -A ext-dmz -p tcp --dport https -j ACCEPT
    iptables -A ext-dmz -p tcp --dport ssh -j ACCEPT
    iptables -A ext-dmz -p icmp -j icmp-acc
    iptables -A ext-dmz -j LOG --log-prefix "ext-dmz"
    iptables -A ext-dmz -j DROP
    iptables -A int-ext -j ACCEPT
    iptables -A dmz-int -p udp --sport domain -j ACCEPT
    iptables -A dmz-int -p tcp ! --syn --sport domain -j ACCEPT
    iptables -A dmz-int -p tcp ! --syn --sport www -j ACCEPT
    iptables -A dmz-int -p tcp ! --syn --sport ssh -j ACCEPT
    iptables -A dmz-int -p icmp -j icmp-acc
    iptables -A dmz-int -j LOG --log-prefix "dmz-int"
    iptables -A dmz-int -j DROP
    iptables -A dmz-ext -p udp --dport domain -j ACCEPT
    iptables -A dmz-ext -p tcp --dport domain -j ACCEPT
    iptables -A dmz-ext -p tcp --dport www -j ACCEPT
    iptables -A dmz-ext -p tcp --dport https -j ACCEPT
    iptables -A dmz-ext -p tcp --dport ssh -j ACCEPT
    iptables -A dmz-ext -p tcp --dport ftp -j ACCEPT
    iptables -A dmz-ext -p tcp --dport whois -j ACCEPT
    iptables -A dmz-ext -p tcp --dport telnet -j ACCEPT
    iptables -A dmz-ext -p tcp --dport ntp -j ACCEPT
    iptables -A dmz-ext -p icmp -j icmp-acc
    iptables -A dmz-ext -j LOG --log-prefix "dmz-ext"
    iptables -A dmz-ext -j DROP
    iptables -A ext-int -j DROP
    iptables -N ext-if
    iptables -N dmz-if
    iptables -N int-if
    iptables -A INPUT -i $EXT_IFACE -j ext-if
    iptables -A INPUT -i $DMZ_IFACE -j dmz-if
    iptables -A INPUT -i $INT_IFACE -j int-if
    iptables -A ext-if -j ACCEPT
    iptables -A dmz-if -j ACCEPT
    iptables -A int-if -j ACCEPT
    iptables -D INPUT 1
    iptables -D OUTPUT 1
    iptables -D FORWARD 1
    Last edited by Davano; 14th July 2011 at 05:05 AM.

  2. #2
    Junior Member
    Join Date
    Jul 2011
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    Cant post it in one file. so i replied.
    This is the outbut from iptables -L

    linux-od82:~ # iptables -L
    Code:
    Chain INPUT (policy DROP)
    target prot opt source destination
    ext-if all -- anywhere anywhere
    dmz-if all -- anywhere anywhere
    int-if all -- anywhere anywhere
    
    Chain FORWARD (policy DROP)
    target prot opt source destination
    DROP all -- anywhere anywhere state INVALID
    DROP all -- anywhere anywhere state RELATED,ESTABLISHED
    int-dmz all -- 10.0.0.0/24 anywhere
    int-ext all -- 10.0.0.0/24 anywhere
    dmz-ext all -- 10.1.0.0/24 anywhere
    dmz-int all -- 10.1.0.0/24 anywhere
    ext-dmz all -- anywhere anywhere
    ext-int all -- anywhere anywhere
    LOG all -- anywhere anywhere LOG level warning prefix `chain-jump'
    DROP all -- anywhere anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    
    Chain dmz-ext (1 references)
    target prot opt source destination
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT tcp -- anywhere anywhere tcp dpt:domain
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    ACCEPT tcp -- anywhere anywhere tcp dpt:https
    ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
    ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
    ACCEPT tcp -- anywhere anywhere tcp dpt:nicname
    ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
    ACCEPT tcp -- anywhere anywhere tcp dpt:ntp
    icmp-acc icmp -- anywhere anywhere
    LOG all -- anywhere anywhere LOG level warning prefix `dmz-ext'
    DROP all -- anywhere anywhere
    
    Chain dmz-if (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    
    Chain dmz-int (1 references)
    target prot opt source destination
    ACCEPT udp -- anywhere anywhere udp spt:domain
    ACCEPT tcp -- anywhere anywhere tcp spt:domain flags:!FIN,SYN,RST,ACK/SYN
    ACCEPT tcp -- anywhere anywhere tcp spt:http flags:!FIN,SYN,RST,ACK/SYN
    ACCEPT tcp -- anywhere anywhere tcp spt:ssh flags:!FIN,SYN,RST,ACK/SYN
    icmp-acc icmp -- anywhere anywhere
    LOG all -- anywhere anywhere LOG level warning prefix `dmz-int'
    DROP all -- anywhere anywhere
    
    Chain ext-dmz (1 references)
    target prot opt source destination
    ACCEPT tcp -- anywhere 10.1.0.10 tcp dpt:http
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT tcp -- anywhere anywhere tcp dpt:domain
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    ACCEPT tcp -- anywhere anywhere tcp dpt:https
    ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
    icmp-acc icmp -- anywhere anywhere
    LOG all -- anywhere anywhere LOG level warning prefix `ext-dmz'
    
    Chain ext-if (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    
    Chain ext-int (1 references)
    target prot opt source destination
    
    Chain forward_dmz (0 references)
    target prot opt source destination
    
    Chain forward_ext (0 references)
    target prot opt source destination
    
    Chain forward_int (0 references)
    target prot opt source destination
    
    Chain icmp-acc (4 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp source-quench
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    LOG all -- anywhere anywhere LOG level warning prefix `icmp-acc'
    DROP all -- anywhere anywhere
    
    Chain input_dmz (0 references)
    target prot opt source destination
    
    Chain input_ext (0 references)
    target prot opt source destination
    
    Chain input_int (0 references)
    target prot opt source destination
    
    Chain int-dmz (1 references)
    target prot opt source destination
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT tcp -- anywhere anywhere tcp dpt:domain
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    ACCEPT tcp -- anywhere anywhere tcp dpt:https
    ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
    ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
    ACCEPT tcp -- anywhere anywhere tcp dpt:ident
    ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
    icmp-acc icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    LOG all -- anywhere anywhere LOG level warning prefix `int-dmz'
    
    Chain int-ext (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    
    Chain int-if (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    
    Chain reject_func (0 references)
    target prot opt source destination
    linux-od82:~ #
    
    
    
    Squid.conf:
    
    SQUID.CONF
    
    acl all src all
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8
    
    acl localnet src 10.1.0.0/24 # RFC1918 possible internal network
    acl localnet src 10.0.0.0/24 # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    
    http_access allow all
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localnet
    http_access allow localhost
    http_access allow all
    
    icp_access allow localnet
    icp_access deny all
    
    cache_peer 192.168.1.253 parent 8080 3130 proxy-only no-query
    cache_peer 192.168.1.252 parent 8080 3130 proxy-only no-query
    cache_peer 192.168.1.251 parent 8080 3130 proxy-only no-query
    
    hierarchy_stoplist cgi-bin ?
    
    
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320
    
    dns_nameservers 10.0.0.3 10.0.0.4
    
    retry_on_error on
    Last edited by Davano; 14th July 2011 at 05:05 AM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 3
    Last Post: 10th January 2012, 10:27 PM
  2. Replies: 0
    Last Post: 24th August 2010, 04:45 PM
  3. Setup Squid Proxy with IPtables
    By ashukh1986 in forum Proxy Servers
    Replies: 5
    Last Post: 13th February 2010, 03:36 PM
  4. Replies: 1
    Last Post: 2nd July 2009, 01:38 PM
  5. SQuid Proxy Server AND IpTables
    By umer in forum Proxy Servers
    Replies: 0
    Last Post: 21st May 2009, 11:21 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •