LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-16-2006, 11:22 AM   #1
danj_fc5usr
LQ Newbie
 
Registered: Aug 2006
Location: Tri-Cities, Washington
Distribution: Fedora Core 5
Posts: 17

Rep: Reputation: 0
IPtables not forwarding packets to Squid.


Two things:

1) I am reletively new to using my linux box as a transparent firewall, and want to get this right before putting it into production for the rest of the network.

2)I have been looking on the forums here and could not find a related issue in regards to this particular issue, if there is one, pls let me know!

Here is what I am trying to do and I seem to be having some problems with it functioning correctly. I am trying to get my Linux box to act as a firewall for the LAN. Squid is set up with it's default configuration, IPTables is set up correct (to the best of my knowledge); but when I try to access the server from a client (with IPTables on), the connection will time out. If I turn off IPTables off, my client can access the proxy and retrieve web sites.

I checked /var/log/messages and there is no indication of any problems with the port forwarding.
I checked /var/log/squid/access.log and it is showing that packets to the server are being dropped.

Below is the current configuration for the server:

OS: Fedora Core 5
NIC's: 2 eth0(LAN) eth1(WAN)
Please keep in mind that for the purposes of working on the firewall eth1 is still on the same network as eth0 until I get the bugs worked out!

Changes made to /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1

Current configuration for /etc/sysconfig
# Generated by iptables-save v1.3.5 on Sat Sep 16 09:11:29 2006
*nat
:PREROUTING ACCEPT [52:16496]
:POSTROUTING ACCEPT [1:92]
:OUTPUT ACCEPT [1:92]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT


Here is the current routing configuration:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1


Below is the current configuration for Firefox:
HTTP Proxy: 192.168.0.2:3128 (Applies to all connections)

So, looking at the configuration of both client and server, there is no reason why it shouldn't work. If someone could please let me know if there is something that is overlooked or mis-configured, I would appreciate it!

Thank you.

Last edited by danj_fc5usr; 09-16-2006 at 12:09 PM.
 
Old 09-16-2006, 12:31 PM   #2
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 77
Can we see *all* your iptables rules: `iptables -L -n`
So the server is 192.168.0.2?
 
Old 09-16-2006, 01:01 PM   #3
danj_fc5usr
LQ Newbie
 
Registered: Aug 2006
Location: Tri-Cities, Washington
Distribution: Fedora Core 5
Posts: 17

Original Poster
Rep: Reputation: 0
# Generated by iptables-save v1.3.5 on Sat Sep 16 09:11:29 2006
*nat
:PREROUTING ACCEPT [52:16496]
:POSTROUTING ACCEPT [1:92]
:OUTPUT ACCEPT [1:92]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Sat Sep 16 09:11:29 2006
# Generated by iptables-save v1.3.5 on Sat Sep 16 09:11:29 2006
*mangle
:PREROUTING ACCEPT [113:20548]
:INPUT ACCEPT [61:4052]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52:4896]
:POSTROUTING ACCEPT [52:4896]
COMMIT
# Completed on Sat Sep 16 09:11:29 2006
# Generated by iptables-save v1.3.5 on Sat Sep 16 09:11:29 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52:4896]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 67 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


** Note the two lines below where added and seem to allow traffic to pass, if you have a good way of resolving this without me having to use the lines below.

-A INPUT -p all -s 192.168.0.0/24 -i eth0 -j ACCEPT
-A OUTPUT -p all -d 192.168.0.0/24 -o eth0 -j ACCEPT

One other note, I am also using webmin on my system and am having problems with iptables accepting port 10000 in the filtration process.

Last edited by danj_fc5usr; 09-16-2006 at 01:20 PM.
 
Old 09-16-2006, 01:27 PM   #4
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 77
You are redirecting port 80 to 3128, but you do not have a rule that accepts packets in INPUT on port 3128.
PREROUTING is traversed before INPUT...
 
Old 09-16-2006, 01:37 PM   #5
danj_fc5usr
LQ Newbie
 
Registered: Aug 2006
Location: Tri-Cities, Washington
Distribution: Fedora Core 5
Posts: 17

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by bulliver
You are redirecting port 80 to 3128, but you do not have a rule that accepts packets in INPUT on port 3128.
PREROUTING is traversed before INPUT...
Hmm, well I added

-A INPUT -p tcp -m tcp -i eth0 --dport 3128 -j ACCEPT

to iptables and still nada, am I doing something incorrectly?
 
Old 09-16-2006, 01:51 PM   #6
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 77
I think what happened is you appended '-A' the rule to INPUT which means it is later in the chain than "-A FORWARD -j RH-Firewall-1-INPUT", which means the packet traverses RH-Firewall-1-INPUT and falls off the edge.
You will either want to '-I' insert it, and in the 'RH-Firewall-1-INPUT' chain if that's where you want to do most of your filtering.

Please post 'iptables -L -n' not the iptables-save listing, as it is so much easier to read and understand...
 
Old 09-16-2006, 02:03 PM   #7
danj_fc5usr
LQ Newbie
 
Registered: Aug 2006
Location: Tri-Cities, Washington
Distribution: Fedora Core 5
Posts: 17

Original Poster
Rep: Reputation: 0
Okay, I now see where the error was. By your explination and simple logic, it was dropping the packet because it hit the end of the chain.
 
Old 09-16-2006, 02:38 PM   #8
danj_fc5usr
LQ Newbie
 
Registered: Aug 2006
Location: Tri-Cities, Washington
Distribution: Fedora Core 5
Posts: 17

Original Poster
Rep: Reputation: 0
Do you happen to have any good resources on how to build iptables.

I have gotten it set up now so that eth1 blocks all incoming WAN traffic, and would like to work on blocking all ports on eth0 with the exception of those who need to access the internet.

Thanks again for your help!
 
Old 09-16-2006, 02:50 PM   #9
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 77
Quote:
Do you happen to have any good resources on how to build iptables.
Not really, I just write all my rules by hand, using tutorials from iptables website and the "Linux Iptables Pocket Reference" by O'Reilley.

If you want 'expert' advice then check out the netfilter mailing list:
http://www.netfilter.org/mailinglists.html

These guys really know what they are talking about.
 
Old 09-16-2006, 03:29 PM   #10
danj_fc5usr
LQ Newbie
 
Registered: Aug 2006
Location: Tri-Cities, Washington
Distribution: Fedora Core 5
Posts: 17

Original Poster
Rep: Reputation: 0
Thanks for the info it's appreciated!
 
  


Reply

Tags
iptables, routing, squid


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Forwarding UDP Packets tzahi Linux - Networking 1 03-12-2006 02:02 PM
Forwarding packets between two NIC madhavann Linux - Networking 6 02-17-2006 10:23 PM
Forwarding packets with Iptables DrunkenDisciple Linux - Software 2 07-24-2005 11:00 PM
Not forwarding packets meadensi Linux - Networking 0 02-08-2005 07:02 PM
Forwarding ACK Packets snufferz Linux - Newbie 0 05-12-2004 02:10 AM


All times are GMT -5. The time now is 10:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration