Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
1) I am reletively new to using my linux box as a transparent firewall, and want to get this right before putting it into production for the rest of the network.
2)I have been looking on the forums here and could not find a related issue in regards to this particular issue, if there is one, pls let me know!
Here is what I am trying to do and I seem to be having some problems with it functioning correctly. I am trying to get my Linux box to act as a firewall for the LAN. Squid is set up with it's default configuration, IPTables is set up correct (to the best of my knowledge); but when I try to access the server from a client (with IPTables on), the connection will time out. If I turn off IPTables off, my client can access the proxy and retrieve web sites.
I checked /var/log/messages and there is no indication of any problems with the port forwarding.
I checked /var/log/squid/access.log and it is showing that packets to the server are being dropped.
Below is the current configuration for the server:
OS: Fedora Core 5
NIC's: 2 eth0(LAN) eth1(WAN) Please keep in mind that for the purposes of working on the firewall eth1 is still on the same network as eth0 until I get the bugs worked out!
Changes made to /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
Current configuration for /etc/sysconfig
# Generated by iptables-save v1.3.5 on Sat Sep 16 09:11:29 2006
:PREROUTING ACCEPT [52:16496]
:POSTROUTING ACCEPT [1:92]
:OUTPUT ACCEPT [1:92]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
Here is the current routing configuration:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1
Below is the current configuration for Firefox:
HTTP Proxy: 192.168.0.2:3128 (Applies to all connections)
So, looking at the configuration of both client and server, there is no reason why it shouldn't work. If someone could please let me know if there is something that is overlooked or mis-configured, I would appreciate it!
Last edited by danj_fc5usr; 09-16-2006 at 12:09 PM.
I think what happened is you appended '-A' the rule to INPUT which means it is later in the chain than "-A FORWARD -j RH-Firewall-1-INPUT", which means the packet traverses RH-Firewall-1-INPUT and falls off the edge.
You will either want to '-I' insert it, and in the 'RH-Firewall-1-INPUT' chain if that's where you want to do most of your filtering.
Please post 'iptables -L -n' not the iptables-save listing, as it is so much easier to read and understand...