LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   IPtables not forwarding packets to Squid. (https://www.linuxquestions.org/questions/linux-security-4/iptables-not-forwarding-packets-to-squid-484085/)

danj_fc5usr 09-16-2006 11:22 AM
IPtables not forwarding packets to Squid.
 
Two things:

1) I am reletively new to using my linux box as a transparent firewall, and want to get this right before putting it into production for the rest of the network.

2)I have been looking on the forums here and could not find a related issue in regards to this particular issue, if there is one, pls let me know!

Here is what I am trying to do and I seem to be having some problems with it functioning correctly. I am trying to get my Linux box to act as a firewall for the LAN. Squid is set up with it's default configuration, IPTables is set up correct (to the best of my knowledge); but when I try to access the server from a client (with IPTables on), the connection will time out. If I turn off IPTables off, my client can access the proxy and retrieve web sites.

I checked /var/log/messages and there is no indication of any problems with the port forwarding.
I checked /var/log/squid/access.log and it is showing that packets to the server are being dropped.

Below is the current configuration for the server:

OS: Fedora Core 5
NIC's: 2 eth0(LAN) eth1(WAN)
Please keep in mind that for the purposes of working on the firewall eth1 is still on the same network as eth0 until I get the bugs worked out!

Changes made to /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1

Current configuration for /etc/sysconfig
# Generated by iptables-save v1.3.5 on Sat Sep 16 09:11:29 2006
*nat
:PREROUTING ACCEPT [52:16496]
:POSTROUTING ACCEPT [1:92]
:OUTPUT ACCEPT [1:92]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT


Here is the current routing configuration:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1


Below is the current configuration for Firefox:
HTTP Proxy: 192.168.0.2:3128 (Applies to all connections)

So, looking at the configuration of both client and server, there is no reason why it shouldn't work. If someone could please let me know if there is something that is overlooked or mis-configured, I would appreciate it!

Thank you.

bulliver 09-16-2006 12:31 PM
Can we see *all* your iptables rules: `iptables -L -n`
So the server is 192.168.0.2?

danj_fc5usr 09-16-2006 01:01 PM
# Generated by iptables-save v1.3.5 on Sat Sep 16 09:11:29 2006
*nat
:PREROUTING ACCEPT [52:16496]
:POSTROUTING ACCEPT [1:92]
:OUTPUT ACCEPT [1:92]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Sat Sep 16 09:11:29 2006
# Generated by iptables-save v1.3.5 on Sat Sep 16 09:11:29 2006
*mangle
:PREROUTING ACCEPT [113:20548]
:INPUT ACCEPT [61:4052]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52:4896]
:POSTROUTING ACCEPT [52:4896]
COMMIT
# Completed on Sat Sep 16 09:11:29 2006
# Generated by iptables-save v1.3.5 on Sat Sep 16 09:11:29 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52:4896]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 67 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


** Note the two lines below where added and seem to allow traffic to pass, if you have a good way of resolving this without me having to use the lines below.

-A INPUT -p all -s 192.168.0.0/24 -i eth0 -j ACCEPT
-A OUTPUT -p all -d 192.168.0.0/24 -o eth0 -j ACCEPT

One other note, I am also using webmin on my system and am having problems with iptables accepting port 10000 in the filtration process.

bulliver 09-16-2006 01:27 PM
You are redirecting port 80 to 3128, but you do not have a rule that accepts packets in INPUT on port 3128.
PREROUTING is traversed before INPUT...

danj_fc5usr 09-16-2006 01:37 PM
Quote:
Originally Posted by bulliver
You are redirecting port 80 to 3128, but you do not have a rule that accepts packets in INPUT on port 3128.
PREROUTING is traversed before INPUT...
Hmm, well I added

-A INPUT -p tcp -m tcp -i eth0 --dport 3128 -j ACCEPT

to iptables and still nada, am I doing something incorrectly?

bulliver 09-16-2006 01:51 PM
I think what happened is you appended '-A' the rule to INPUT which means it is later in the chain than "-A FORWARD -j RH-Firewall-1-INPUT", which means the packet traverses RH-Firewall-1-INPUT and falls off the edge.
You will either want to '-I' insert it, and in the 'RH-Firewall-1-INPUT' chain if that's where you want to do most of your filtering.

Please post 'iptables -L -n' not the iptables-save listing, as it is so much easier to read and understand...

danj_fc5usr 09-16-2006 02:03 PM
Okay, I now see where the error was. By your explination and simple logic, it was dropping the packet because it hit the end of the chain.

danj_fc5usr 09-16-2006 02:38 PM
Do you happen to have any good resources on how to build iptables.

I have gotten it set up now so that eth1 blocks all incoming WAN traffic, and would like to work on blocking all ports on eth0 with the exception of those who need to access the internet.

Thanks again for your help!

bulliver 09-16-2006 02:50 PM
Quote:
Do you happen to have any good resources on how to build iptables.
Not really, I just write all my rules by hand, using tutorials from iptables website and the "Linux Iptables Pocket Reference" by O'Reilley.

If you want 'expert' advice then check out the netfilter mailing list:
http://www.netfilter.org/mailinglists.html

These guys really know what they are talking about.

danj_fc5usr 09-16-2006 03:29 PM
Thanks for the info it's appreciated!


All times are GMT -5. The time now is 11:41 AM.