[SOLVED] forwarding port 80

qwertyjjj · 08-13-2009, 12:06 PM

Hi
I want to forward port 80 to my squid on 3128.
I have the following but not sure what the eth1 refers to. Can I leave it out or should it be eth0?
I think I have to add an -s xx.xx.xx.xx to the lines as well.
Do I need the forward line at all?
The reason for the forwarding is I have apache on the server, I don't want apache to run for this IP address so I have port 80 blocked on this IP. However, it operates on a different IP address and I want to leave the port 80 open on that one.
I would like to allow 80 to be used on this IP but only for the proxy and forward to squid for those office networks that allow their users to access port 80.
Squid cuirrently listens to 8080 and 3128

Code:

-A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
-t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination xx.xxx.xxx.xx9:3128

Current config is:

Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1xxx -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1xxx -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d xx.xxx.xxx.xx9 -p tcp -m tcp --dport 1xxx -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.xx9 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.xx9 -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.xx8 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 3128 -j ACCEPT
-A INPUT -d xx.xxx.xxx.xx8 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 8080 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -d xx.xxx.xxx.xx8 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.xx8 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT

acid_kewpie · 08-13-2009, 01:59 PM

I thought we agreed that transparent proxies sucked??

-i eth1 means the data is entering the eth1 nic.

qwertyjjj · 08-13-2009, 02:02 PM

Quote:

Originally Posted by acid_kewpie

I thought we agreed that transparent proxies sucked??

-i eth1 means the data is entering the eth1 nic.

This is a public server. I need to allow people to connect to port 80 for example if they are trying to bypass their work firewall and perhaps their network only allows them out through port 80.

So, is this line all I need? What about the forward line?

Code:

-A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination xx.xxx.xxx.xx9:3128

acid_kewpie · 08-13-2009, 02:32 PM

I don't understand how your requirements are relevant to a transparent proxy..? If you're using port 80 as an explicity proxy port, then don't use iptables, just make squid listen on that port in the first place.

Off topic, you have a few pointless rules in the firewall there. At the top you have the related/established line. That covers ALL existing traffic, so there is no point mentioning existing connections below at all.

qwertyjjj · 08-13-2009, 02:38 PM

Quote:

Originally Posted by acid_kewpie

I don't understand how your requirements are relevant to a transparent proxy..? If you're using port 80 as an explicity proxy port, then don't use iptables, just make squid listen on that port in the first place.

Off topic, you have a few pointless rules in the firewall there. At the top you have the related/established line. That covers ALL existing traffic, so there is no point mentioning existing connections below at all.

Well it seems to block when I don't list a specific port so it must be doing something? So get rid of these 2?
Aren't these rules necessary for when you restart iptables?
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

This is not a transparent proxy. As mentioned, I have apache running on the server but the server has 2 IP addresses.
I don't want port 80 open on 1 of the servers so if I just open it and let squid listen, then apache is also open hence the forwarding rule for 1 of the IP addresses.

ie xx.xx.xx.x1 80 forward to squid therefore 80 blocked for apache
xx.xx.xx.x2 80 open for apache

acid_kewpie · 08-13-2009, 05:08 PM

if you only have one IP address for apache, then make it only listen on that port using a more specific "Listen" configuration option. That's the elegant solution. You'd never use one service to block another, that seems really odd.

qwertyjjj · 08-13-2009, 05:11 PM

Quote:

Originally Posted by acid_kewpie

if you only have one IP address for apache, then make it only listen on that port using a more specific "Listen" configuration option. That's the elegant solution. You'd never use one service to block another, that seems really odd.

Can apache listen to port 80 with data only destined for IP xx.xx.xx.1?
The point of the firewall doing it is that I thought the programs simply listened to a port in which case it needs to be split by the firewall otherwise data destined for port 80 with apache and squid listening in on the same port is going to cause havoc.

acid_kewpie · 08-14-2009, 04:40 AM

Yes, as above, just set the Listen option correctly.

EricTRA · 08-14-2009, 04:51 AM

Hello,

Assuming it's Apache2, in the ports.conf

Code:

NameVirtualHost XXX.XXX.XXX.XXX:80 (XXX = your IP you want to listen on)
Listen 80

In the sites-available/default

Code:

NameVirtualHost XXX.XXX.XXX.XXX:80

This way Apache only listen on that IP/interface : port combination.

Kind regards,

Eric

BTW: Happy Birthday Chris

qwertyjjj · 08-14-2009, 05:28 AM

Quote:

Originally Posted by EricTRA

Hello,

Assuming it's Apache2, in the ports.conf

Code:

NameVirtualHost XXX.XXX.XXX.XXX:80 (XXX = your IP you want to listen on)
Listen 80

In the sites-available/default

Code:

NameVirtualHost XXX.XXX.XXX.XXX:80

This way Apache only listen on that IP/interface : port combination.

Kind regards,

Eric

BTW: Happy Birthday Chris

Done - thanks.
Now, what are the risks of leaving port 80 open for squid to listen to being that most bots attack port 80?

qwertyjjj · 08-14-2009, 10:37 AM

Squid isn't responding on port 80. I have this in the squid conf and have restarted it:

Code:

http_port 3128
http_port 8080
http_port 80

this in apache and restarted httpd

Code:

Listen xx.xxx.xxx.xx2:80

On IP 1: no apache response, no squid response but squid should be listening to port 80
on IP 2: correct apache response, no squid response as blocked in iptables.

acid_kewpie · 08-14-2009, 12:46 PM

well check what is actually listening, rather than just trying to use something... "netstat -plnt"

qwertyjjj · 08-14-2009, 12:54 PM

Quote:

Originally Posted by acid_kewpie

well check what is actually listening, rather than just trying to use something... "netstat -plnt"

So, squid is not listening on port 80 even though it's there in the squid.conf file. ANy ideas on what to check?

qwertyjjj · 08-15-2009, 05:58 PM

Quote:

Originally Posted by qwertyjjj

So, squid is not listening on port 80 even though it's there in the squid.conf file. Any ideas on what to check?

Failing that I suppose I'll have to forward the port.

qwertyjjj · 08-16-2009, 06:25 AM

Is it possible that apache is somehow blocking squid from listening on the port?

Edit: I got this to work by specifying the actual IP address with port 80 in the squid.cinf.
When I just listed port 80 alone, it would not work although port 8080 listed alone does work.
Strange.