LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-27-2005, 01:48 AM   #1
razan
LQ Newbie
 
Registered: Jan 2005
Location: Unix planet
Posts: 28

Rep: Reputation: 15
Angry Firewall, SQUID problem plese help me


Please help me solve my problem here is the detail about my firewall. I am actually trying to install firewall and squid proxy server in the same Linux box.

#!/bin/sh
#echo " Flushing the tables"
# My 192.168.0.0/24 network is connected to NAT enabled router LAN port
#192.168.0.7 is the ipaddreass of LINUX GATEWAY, Router, proxy and firewall server
# My 172.168.0.0/16 is connected to LAN from the LINUX GATEWAY, Router, proxy and firewall server



# Linux has followin ethernet and address
#eth0 192.168.0.7
#eth2 172.16.0.254

iptables -F
iptables -F
iptables -t nat -F POSTROUTING
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -X
iptables -t nat -F PREROUTING

#Default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


#My own TCP Policy
iptables -N fire
iptables -A fire -p TCP --syn -j ACCEPT
iptables -A fire -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A fire -p TCP -j DROP

#INPUT chain

#firewall to INTERNET
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.0.7 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 172.16.0.254 -j ACCEPT
iptables -A INPUT -p ALL -i eth2 -s 172.16.0.255 -j ACCEPT

iptables -A INPUT -p ALL -d 192.168.0.7 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i eth2 --destination-port 3128 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


#test
#iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j ACCEPT
#iptables -A INPUT -p ALL -d 172.16.0.254 -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -p TCP -i eth0 -s 0/0 -d 172.16.0.0/16 --destination-port 8080 -j fire

#ICMP for internet
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT
iptables -A OUTPUT -p ICMP -o eth0 -s 0/0 --icmp-type echo-reply -j ACCEPT

#icmp for LAN
iptables -A INPUT -p ICMP -i eth2 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth2 -s 0/0 --icmp-type 11 -j ACCEPT
iptables -A OUTPUT -p ICMP -o eth2 -s 0/0 --icmp-type echo-reply -j ACCEPT


#output
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.7 -j ACCEPT
iptables -A OUTPUT -p ALL -s 172.16.0.254 -j ACCEPT

#FORWARD
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
#iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.7
 
Old 04-27-2005, 02:03 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
what exactly is the problem you are having??
 
Old 04-27-2005, 03:37 AM   #3
Bilal84
LQ Newbie
 
Registered: Apr 2005
Location: Lebanon
Distribution: Debian3.1,Suse9.3, Redhat
Posts: 25

Rep: Reputation: 15
HI ....
plz, detail your problem....for more help
 
Old 04-27-2005, 03:37 AM   #4
razan
LQ Newbie
 
Registered: Jan 2005
Location: Unix planet
Posts: 28

Original Poster
Rep: Reputation: 15
the problem is My LAN cannot connect to the internet
 
Old 04-27-2005, 03:53 AM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
you're gonna have to provide more information if you want someone to help you...

"cannot connect to the internet" is pretty vague...

can you ping the web from the LAN??

does the web surfing work if you don't use squid??

ETC... ETC... ETC...

provide as much information about your status as you can and you'll get quicker, better replies...


PS: i've requested this thread be moved to the networking forum as this isn't a security issue...


Last edited by win32sux; 04-27-2005 at 03:54 AM.
 
Old 04-27-2005, 03:58 AM   #6
razan
LQ Newbie
 
Registered: Jan 2005
Location: Unix planet
Posts: 28

Original Poster
Rep: Reputation: 15
details

Here I have confiugred IE to use the proxy as 172.16.0.254 and port as 3128

Now if i disable above firewall scripts and run the default firewall scripts of the Unix created through the system-config-securitylevel then i am able to browse the web pages. i have not forwarded or did notthing in the firewall in this case coz i just want to use my own firewall so that i can secure my gateway as well as other server on the LAN. so please let me know if i have to give other details as well.
 
Old 04-27-2005, 04:22 AM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
so when you run the "default firewall scripts" then you are able to properly use squid??
 
Old 04-27-2005, 05:15 AM   #8
razan
LQ Newbie
 
Registered: Jan 2005
Location: Unix planet
Posts: 28

Original Poster
Rep: Reputation: 15
yes there i dun even forward any things in the default firewall
but using my own firewall scripts socks.
 
Old 04-27-2005, 06:04 AM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
no offense, but your iptables script is a mess...

i've cleaned it up for you somewhat, it should work now:

Code:
#!/bin/sh

iptables -F
iptables -F -t nat
iptables -F -t mangle

iptables -X
iptables -X -t nat
iptables -X -t mangle

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP -i eth2 --dport 3128 -s 172.16.0.0/24 \
-m state --state NEW -j ACCEPT
iptables -A INPUT -p ICMP --icmp-type 8 \
-m state --state NEW -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p TCP -o eth0 --dport 80 \
-m state --state NEW -j ACCEPT
iptables -A OUTPUT -p ICMP --icmp-type 8 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -s 172.16.0.0/24 -o eth0 \
-m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -p TCP -i eth2 --dport 80 \
-j REDIRECT --to-ports 3128

iptables -t nat -A POSTROUTING -o eth0 -j SNAT \
--to-source 192.168.0.7

Last edited by win32sux; 04-27-2005 at 06:12 AM.
 
Old 04-27-2005, 08:48 AM   #10
razan
LQ Newbie
 
Registered: Jan 2005
Location: Unix planet
Posts: 28

Original Poster
Rep: Reputation: 15
let me check

thanks buddy
let me check it out

windows soks
 
Old 04-27-2005, 10:55 AM   #11
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
you're welcome...

BTW, i assume you're activating forwarding from a startup file with something like:
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward
or maybe in your /etc/sysctl.conf you have something like:
Code:
net.ipv4.ip_forward=1
right???


Last edited by win32sux; 04-27-2005 at 11:00 AM.
 
Old 04-28-2005, 01:41 AM   #12
razan
LQ Newbie
 
Registered: Jan 2005
Location: Unix planet
Posts: 28

Original Poster
Rep: Reputation: 15
those setting are already configured buddy.

any way thanx once more for reminding.
 
Old 04-28-2005, 01:51 AM   #13
razan
LQ Newbie
 
Registered: Jan 2005
Location: Unix planet
Posts: 28

Original Poster
Rep: Reputation: 15
Talking Thanks win32sux

thank u win32.
Its working now.
for (i=1; i>1; i++)
printf("Thanx win32sux");
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid firewall setup cortj Linux - Networking 9 10-11-2006 04:05 AM
firewall and squid keshif Linux - Security 1 01-23-2004 09:25 AM
firewall for SQUID freelinuxcpp Linux - Networking 2 12-01-2003 01:58 PM
plese help, problem trying to install alcatel speedtouch usb! myk3 Linux - Networking 5 11-16-2003 09:02 AM
Router/Firewall w/ Squid problem lhorstman Linux - Newbie 2 10-11-2003 07:03 AM


All times are GMT -5. The time now is 02:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration