[SOLVED] firewall squid and apache

nass · 02-03-2011, 07:59 PM

Hello everyone,
I have tweaking a gateway PC that servers a webpage to the 'internet' and also acts as a transparent proxy for the local network thats behind this gw.

Since its a transparent proxy I had to redirect packets (in prerouting chain) arriving on the internal iface from port 80 of the gw to the squid port. This works fine.

Now that I setup the web server I allowed port 80 on the input chain to accept connections from the 'internet'.
Since prerouting chain gets executed first, I suspected that packets from the internal iface would be intercepted first, and all the rest would (ie those from the external iface) would arrive in the input chain... but it appears smths wrong and this does not occur.
I tried logging packets in the prerouting chain from the external iface arriving with dport 80 but nothing gets registered in the logs. So I wonder where (=earlier during the execution of the prerouting chain or before) are the internet requests for my webpage get lost/dropped/rejected whatever..

Note that if i run without firewall. I can connect to my webpage no problem.. So I think It's probably smth with my firewall script and less probably something wrong with squid....

Thank you very much for your help.

For reference here is my whole rc.firewall - I didn't want to omit something in order not to exclude my possible mistake....
port 19191 is the squid listening port.

Quote:

SYSCTL="/sbin/sysctl -w"
IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"

#DEFINITIONS
INET_IFACE="eth1"
INET_ADDRESS="192.168.15.35" #eth1 address
LOCAL_IFACE="eth0"
LOCAL_IP="192.168.0.19"
LOCAL_NET="192.168.0.0/24"
LOCAL_BCAST="192.168.0.255"
VPN_IFACE="tun+"
VPN_NET="192.168.144.0/24"
VPN_BCAST="192.168.144.255"
WORK_NET="192.168.1.0/24"
WORK_BCAST="192.168.1.255"
LIN_SRV="192.168.0.6"
WIN_CL="192.168.0.3"
LO_IFACE="lo"
LO_IP="127.0.0.1"

if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi
echo "Loading kernel modules ..."
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="1"
fi

echo "Flushing Tables ..."
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo "Create and populate custom rule chains ..."
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound

$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j ULOG \
--ulog-prefix "Illegal source: " --ulog-nlgroup 1
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state --state INVALID -j ULOG \
--ulog-prefix "Invalid packet: " --ulog-nlgroup 1
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j ULOG \
--ulog-prefix "New not syn: " --ulog-nlgroup 1
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j ULOG \
--ulog-prefix "Stealth scan: " --ulog-nlgroup 1
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j ULOG \
--ulog-prefix "Stealth scan: " --ulog-nlgroup 1
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j ULOG \
--ulog-prefix "Stealth scan: " --ulog-nlgroup 1
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j ULOG \
--ulog-prefix "Stealth scan: " --ulog-nlgroup 1
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j ULOG \
--ulog-prefix "Stealth scan: " --ulog-nlgroup 1
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j ULOG \
--ulog-prefix "Stealth scan: " --ulog-nlgroup 1
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN
$IPT -A icmp_packets --fragment -p ICMP -j ULOG \
--ulog-prefix "ICMP Fragment: " --ulog-nlgroup 1
$IPT -A icmp_packets --fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP -j RETURN

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT
$IPT -A udp_inbound -p UDP -i $LOCAL_IFACE -s $LOCAL_NET --destination-port 111 -j ACCEPT
$IPT -A udp_inbound -p UDP -i $LOCAL_IFACE -s $LOCAL_NET --destination-port 2049 -j ACCEPT
$IPT -A udp_inbound -p UDP -j RETURN
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 53 -j ACCEPT
$IPT -A tcp_inbound -p TCP -i INET_IFACE -s 0/0 --destination-port 80 -j ACCEPT
$IPT -A tcp_inbound -p tcp -s 0/0 --destination-port 19191 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 51238 -j ACCEPT
$IPT -A tcp_inbound -p TCP -i $LOCAL_IFACE -s $LOCAL_NET --destination-port 111 -j ACCEPT
$IPT -A tcp_inbound -p TCP -i $LOCAL_IFACE -s $LOCAL_NET --destination-port 2049 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN

$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

echo "Process INPUT chain ..."
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
$IPT -A INPUT -p ALL -s $VPN_NET -j ACCEPT
$IPT -A INPUT -p ALL -d $VPN_BCAST -j ACCEPT
$IPT -A INPUT -p ALL -s $WORK_NET -j ACCEPT
$IPT -A INPUT -p ALL -d $WORK_BCAST -j ACCEPT
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 \
-j ACCEPT
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j ULOG \
--ulog-prefix "INPUT packet died: " --ulog-nlgroup 1

echo "Process FORWARD chain ..."
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 1194 -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 51237 -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 12121 -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 62000:64000 -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 61245 -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 17156 -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 17156 -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 58789 -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 58789 -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 44743 -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 44743 -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 24345 -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 24345 -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 24346 -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 24346 -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 1215 -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 1215 -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 59049 -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 59049 -j ACCEPT
$IPT -A FORWARD -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j ULOG \
--ulog-prefix "FORWARD packet died: " --ulog-nlgroup 1

echo "Process OUTPUT chain ..."
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j ULOG \
--ulog-prefix "OUTPUT packet died: " --ulog-nlgroup 1

echo "Load rules for nat table ..."
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 1194 -j DNAT --to-destination $LIN_SRV
$IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 1194 -j DNAT --to-destination $LIN_SRV
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 51237 -j DNAT --to-destination $LIN_SRV
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 12121 -j DNAT --to-destination $LIN_SRV
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 62000:64000 -j DNAT --to-destination $LIN_SRV
$IPT -t nat -A PREROUTING -p tcp -i $LOCAL_IFACE --destination-port 80 -j REDIRECT --to-ports 19191
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 61245 -j DNAT --to-destination $WIN_CL
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 17156 -j DNAT --to-destination $WIN_CL
$IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 17156 -j DNAT --to-destination $WIN_CL
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 58789 -j DNAT --to-destination $WIN_CL
$IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 58789 -j DNAT --to-destination $WIN_CL
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 44743 -j DNAT --to-destination 192.168.0.106
$IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 44743 -j DNAT --to-destination 192.168.0.106
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 24345 -j DNAT --to-destination $LIN_SRV
$IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 24345 -j DNAT --to-destination $LIN_SRV
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 24346 -j DNAT --to-destination $LIN_SRV
$IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 24346 -j DNAT --to-destination $LIN_SRV
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 1215 -j DNAT --to-destination $WIN_CL
$IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 1215 -j DNAT --to-destination $WIN_CL
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 59049 -j DNAT --to-destination $WIN_CL
$IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 59049 -j DNAT --to-destination $WIN_CL

$IPT -t nat -A POSTROUTING -o $INET_IFACE \
-j SNAT --to-source $INET_ADDRESS

nass · 02-07-2011, 06:44 AM

scratch that, upgrading packages from slackware 13.0 to 13.1 updated my kernel too,
so rebooting in the new kernel version didn't have all the necessary netfilter modules.
I recompiled the 'fresh' kernel with my custom config and things are fine again.
(note, I did not alter my firewall script - just recompiled the kernel)