iptables and squid
 

Hey there,

I am using squid running on RH9 to allow web proxing. Clients Win98 and Win2k and WinNT Server.

I am an newbie to Linux but I nave been researching how to allow my users to access pop3 port 110 (outlook and express) to access external isp mail server ( 200.10.152.55) but to no avail. have been trying to use iptables but still cannot ping mail server from clients or linux box. Have included some relevant info. any hints would be greatly appreciated.

Thanks

eth0 Link encap:Ethernet HWaddr 00:48:54:67:CF:97
inet addr:10.223.1.35 Bcast:10.223.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7589 errors:0 dropped:0 overruns:0 frame:0
TX packets:9830 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:975044 (952.1 Kb) TX bytes:11250988 (10.7 Mb)
Interrupt:11 Base address:0xf000

eth1 Link encap:Ethernet HWaddr 00:04:75:7E:48:65
inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10344 errors:0 dropped:0 overruns:1 frame:0
TX packets:8447 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:10917078 (10.4 Mb) TX bytes:1011510 (987.8 Kb)
Interrupt:10 Base address:0xac00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:11293 errors:0 dropped:0 overruns:0 frame:0
TX packets:11293 errors:0 dropped:0 overruns:0 carrier:0

Here is the script been working with

#!/bin/sh
echo "Setting up IP masquerading"
#Support masquerading of FTP file trasnfer
echo "1" > /proc/sys/net/ipv4/ip_forward
IPTABLES=/sbin/iptables
EXTIF="eth1"
INTIF="eth0"
echo "External Interface: $EXTIF"
echo "Internal Interface: $INTIF"
echo -en "iptable_nat,"
/sbin/insmod iptable_nat
#echo -en "ip_nat_ftp,"
/sbin/insmod ip_nat_ftp
echo ". Done Loading all modules."
# Enable ip forwading and masquerading
echo " clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "FWD: Allow all connections OUT and only existing and related ones IN"
#$IPTABLES -A FORWARD -d 10.0.0.138 -i $EXTIF -o $INTIF -p tcp --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG --log-prefix "UNMATCHED FORWARD"
echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t filter -A OUTPUT -o $EXTIF -p icmp -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Result of ping
[root@KGNPROXY root]# ping -c 2 -t 1 200.10.152.55
PING 200.10.152.55 (200.10.152.55) 56(84) bytes of data.
From 10.0.0.138 icmp_seq=1 Time to live exceeded
From 10.0.0.138 icmp_seq=2 Time to live exceeded

--- 200.10.152.55 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1013ms



What am i doing wrong?

I hate scripts personally bro.. no offense it just makes it so much harder for me to read.

Click the link in my sig, that'll help.

Thanks ,

Just one question in script u sent what is represented by WAN and LAN ( or eth0 and eth1) ?

well, to talk to the external mail server you just need the linux box to be routing properly...

squid is for accelerating the surfing and saving bandwidth and that sorta stuff (yes, you can use it to share one ip address but that's not the point)...

if you can't ping the internet from the linux router or the lan then something's wrong... are you sure you have the ip configuration set-up correctly? in other words, can you ping the net from the router when iptables is flushed???

try flushing iptables with something like this:

http://www.linuxguruz.org/iptables/s...h-iptables.txt

can you now ping the net from the router???

okay, you could then try using an iptables script generated here to set-up the router for your network (i've tried it and it works nicely):

http://morizot.net/firewall/gen/

good luck!!!