LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-28-2005, 03:35 PM   #1
scammeh^
Member
 
Registered: Oct 2003
Location: Northampton, England
Distribution: MNF 8.2 SUSE 9.3
Posts: 32

Rep: Reputation: 15
Router/Proxy


Long time since i've posted here

Anway, got myself a copy of Suse 9.3 and everything has setup great. It is currently running as a router between the internet and my Windows boxes on the internal network. However, now I want to use Squid to handle all requests for web pages, and block everything else unless I add it to the allow list.

Squid works fine and every computer on the network can use it, but even though I have setup the firewall to deny all other access from the internal network the other computers can still browse as normal, access ftp through it etc.

The firewall is Susefirewall 2, and access is blocked from the internal network with this command in the sysconfig/susefirewall2.conf:

Code:
FW_PROTECT_FROM_INT="yes"
Any help?
 
Old 06-28-2005, 03:43 PM   #2
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
You sure you are blocking FORWARD? It sounds like you are blocking INPUT only.
 
Old 06-28-2005, 07:31 PM   #3
scammeh^
Member
 
Registered: Oct 2003
Location: Northampton, England
Distribution: MNF 8.2 SUSE 9.3
Posts: 32

Original Poster
Rep: Reputation: 15
Thanks for your reply! I am as sure as I can be about that... but mucking around in the config file has now resulted in me making more of a mess!

Now computers on the network are unable to use DHCP on the server!! They can, however, access Squid.

Here is my susefirewall2.conf file with comments and some unnessaccary bits ommited:

Code:
FW_DEV_EXT="eth-id-..."

FW_DEV_INT="eth-id-..."

FW_ROUTE="yes"

FW_MASQUERADE="yes"

FW_MASQ_DEV="$FW_DEV_EXT"

FW_MASQ_NETS="0/0"

FW_PROTECT_FROM_INT="yes"

FW_SERVICES_EXT_TCP="3128 67 68"        [The proxy and DHCP(?)]

FW_SERVICES_EXT_IP="67 68"   

FW_SERVICES_EXT_RPC=""

FW_SERVICES_DMZ_TCP=""

FW_SERVICES_DMZ_UDP=""

FW_SERVICES_DMZ_IP=""


FW_SERVICES_DMZ_RPC=""

FW_SERVICES_INT_TCP="3128"

FW_SERVICES_INT_UDP="bootpc"

FW_SERVICES_INT_IP="smtp"

FW_SERVICES_INT_RPC=""

FW_SERVICES_DROP_EXT=""

FW_SERVICES_REJECT_EXT="0/0,tcp,113"

FW_SERVICES_ACCEPT_EXT=""

FW_TRUSTED_NETS=""

FW_ALLOW_INCOMING_HIGHPORTS_TCP=""

FW_ALLOW_INCOMING_HIGHPORTS_UDP=""


FW_FORWARD=""

FW_FORWARD_MASQ=""

FW_REDIRECT=""

FW_KERNEL_SECURITY="yes"
Help muchy appreciated before I reck anything else!
 
Old 06-28-2005, 08:13 PM   #4
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
Well.... to tell you the truth, I didn't even read that thing you wrote. The way to go is by checking iptables "by hand".

What's the output of:
iptables -L INPUT -nv

and
route -n
 
Old 06-28-2005, 08:24 PM   #5
scammeh^
Member
 
Registered: Oct 2003
Location: Northampton, England
Distribution: MNF 8.2 SUSE 9.3
Posts: 32

Original Poster
Rep: Reputation: 15
iptables -L INPUT -nv
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
   60  3912 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   
72757   60M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  218 20773 input_int  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
   38 14047 input_ext  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Code:
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
<external network>.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         <external network>.254  0.0.0.0         UG    0      0        0 eth0
Cheers
 
Old 06-28-2005, 08:40 PM   #6
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
Here are my thoughts. DHCP responds to DHCP queries by sending packets to the IP address 255.255.255.255, so my first guess is that you will have to add that host to your routeing table:

eth1 is your intranet interface, right?
Code:
route add -host 255.255.255.255 dev eth1
If you don't set the device to eth1, replies will come out... but by eth0... but maybe I'm plain worng here. Can anybody correct this?

Continuing.... let's suppose that the route is not the problem. You also need to check the rules in the chain input_int, cause your firewall is traversing that chain when it receives a packet to stablish a new connection from your intranet. So why don't you tell us the output of iptables -L input_int -nv?

Last edited by eantoranz; 06-28-2005 at 08:51 PM.
 
Old 06-29-2005, 07:16 AM   #7
scammeh^
Member
 
Registered: Oct 2003
Location: Northampton, England
Distribution: MNF 8.2 SUSE 9.3
Posts: 32

Original Poster
Rep: Reputation: 15
iptables -L input_int -nv:

Code:
pkts bytes target     prot opt in     out     source               destination 
    4  1312 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-DROP-BCASTi '
    4  1312 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 14
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 18
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 3 code 2
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 5
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 tcp dpts:27020:27039 flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-INint-ACC-TCP '
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:27020:27039
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 tcp dpt:3128 flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-INint-ACC-TCP '
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3128
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:27000:27015
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:68
    1   105 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INint-DROP-DEFLT '
    1   105 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
Quite confused

The other computers were able to access the DHCP service before though, so surely it's more to do with the susefirewall.conf i was tampering with? Interested to hear your therories though
 
Old 06-29-2005, 09:01 AM   #8
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
Code:
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:68
That's the opening for DHCP. That leads me to think it's the routing problem. Maybe you can use a sniffer to check for the traffic between the client and the server to make sure what's going on.

Now, to FORBID acess to other computers to internet (only available to them by squid), you have to check the rules in the FORWARD table... and the forward policy. See, packets going to internet from other hosts wont traverse the INPUT chain... but FORWARD.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
proxy server behind router? toaster.waffle Linux - Networking 8 06-02-2005 07:54 PM
slack 10 linux proxy and ADSL router hubabuba Linux - Networking 1 12-10-2004 04:19 PM
DNS proxy on router: useful? Kropotkin Linux - Networking 1 11-10-2004 10:35 AM
Proxy settings? Linux browser to router! :S warnesey333 Linux - Networking 14 10-02-2004 01:49 PM
Router Behind a PROXY ????????? peachy Linux - Networking 5 08-26-2004 05:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration