Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi
I want to forward port 80 to my squid on 3128.
I have the following but not sure what the eth1 refers to. Can I leave it out or should it be eth0?
I think I have to add an -s xx.xx.xx.xx to the lines as well.
Do I need the forward line at all?
The reason for the forwarding is I have apache on the server, I don't want apache to run for this IP address so I have port 80 blocked on this IP. However, it operates on a different IP address and I want to leave the port 80 open on that one.
I would like to allow 80 to be used on this IP but only for the proxy and forward to squid for those office networks that allow their users to access port 80.
Squid cuirrently listens to 8080 and 3128
I thought we agreed that transparent proxies sucked??
-i eth1 means the data is entering the eth1 nic.
This is a public server. I need to allow people to connect to port 80 for example if they are trying to bypass their work firewall and perhaps their network only allows them out through port 80.
So, is this line all I need? What about the forward line?
I don't understand how your requirements are relevant to a transparent proxy..? If you're using port 80 as an explicity proxy port, then don't use iptables, just make squid listen on that port in the first place.
Off topic, you have a few pointless rules in the firewall there. At the top you have the related/established line. That covers ALL existing traffic, so there is no point mentioning existing connections below at all.
I don't understand how your requirements are relevant to a transparent proxy..? If you're using port 80 as an explicity proxy port, then don't use iptables, just make squid listen on that port in the first place.
Off topic, you have a few pointless rules in the firewall there. At the top you have the related/established line. That covers ALL existing traffic, so there is no point mentioning existing connections below at all.
Well it seems to block when I don't list a specific port so it must be doing something? So get rid of these 2?
Aren't these rules necessary for when you restart iptables?
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
This is not a transparent proxy. As mentioned, I have apache running on the server but the server has 2 IP addresses.
I don't want port 80 open on 1 of the servers so if I just open it and let squid listen, then apache is also open hence the forwarding rule for 1 of the IP addresses.
ie xx.xx.xx.x1 80 forward to squid therefore 80 blocked for apache
xx.xx.xx.x2 80 open for apache
if you only have one IP address for apache, then make it only listen on that port using a more specific "Listen" configuration option. That's the elegant solution. You'd never use one service to block another, that seems really odd.
if you only have one IP address for apache, then make it only listen on that port using a more specific "Listen" configuration option. That's the elegant solution. You'd never use one service to block another, that seems really odd.
Can apache listen to port 80 with data only destined for IP xx.xx.xx.1?
The point of the firewall doing it is that I thought the programs simply listened to a port in which case it needs to be split by the firewall otherwise data destined for port 80 with apache and squid listening in on the same port is going to cause havoc.
Squid isn't responding on port 80. I have this in the squid conf and have restarted it:
Code:
http_port 3128
http_port 8080
http_port 80
this in apache and restarted httpd
Code:
Listen xx.xxx.xxx.xx2:80
On IP 1: no apache response, no squid response but squid should be listening to port 80
on IP 2: correct apache response, no squid response as blocked in iptables.
Is it possible that apache is somehow blocking squid from listening on the port?
Edit: I got this to work by specifying the actual IP address with port 80 in the squid.cinf.
When I just listed port 80 alone, it would not work although port 8080 listed alone does work.
Strange.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.