LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-22-2004, 03:30 PM   #1
xilace
LQ Newbie
 
Registered: Oct 2003
Posts: 27

Rep: Reputation: 15
IP tables / squid incoming traffic


Using Fedora 3. got squid set up and working as long as i put the address and port info into IE. otherwise if i try and reach something i can get the address by name but nothing else.
example:
ping www.google.com
Pinging www.google.akadns.net [216.239.57.99] with 32 bytes of data:
host unreachable

with IE if i put in www.google.com you can see in the status bar where it has resolved the address. yet cant display anything and eventually times out.

i have my IP tables set up according to this site: http://shorewall.net/1.4/Shorewall_Squid_Usage.html under the section "Squid (transparent) Running in the local network"

to me it seems that either squid or more likely my iptables are blocking incoming requests while trying to run squid transparently.

thanks for any help,
Xilace
 
Old 10-22-2004, 05:55 PM   #2
tlowk
Member
 
Registered: Nov 2003
Location: Belgium
Distribution: Slackware
Posts: 184

Rep: Reputation: 36
you also need to configure squid for it

probably you have somewhere as squid.conf (/etc/squid of /usr/local/squid/etc/squid .. or any
other place 'updatedb locate ..)

httpd_accel_uses_host_header on


more info on
http://squid.visolve.com/squid/squid...ccelerator.htm

see also squid-cache.org for more info on squid
 
Old 10-25-2004, 11:42 AM   #3
xilace
LQ Newbie
 
Registered: Oct 2003
Posts: 27

Original Poster
Rep: Reputation: 15
nope. that didnt help. here is my squid config and iptable setup:

squid.conf
http_port 3128
icp_port 3128
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
ftp_passive off
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 3128 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.1.0/24 192.168.2.0/24 192.168.7.0/24 192.168.0.0/24
http_access allow our_networks
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
reply_body_max_size 0 allow all
cache_mgr somthing@something.com
httpd_accel_port 80
httpd_accel_uses_host_header on
dns_testnames netscape.com internic.net nlanr.net microsoft.com
memory_pools off


/etc/shorewall/init

if [ -z "`ip rule list | grep www.out`" ] ; then
ip rule add fwmark CA table www.out # Note 0xCA = 202
ip route add default via 192.168.1.1 dev eth1 table www.out
ip route flush cache
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
fi


/etc/shorewall/interfaces

#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect routeback


/etc/shorewall/rules

#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc loc tcp www


/etc/shorewall/policy

#SOURCE DESTINATION POLICY
loc loc ACCEPT


/etc/shorewall/start
iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202
iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128


then i ran iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables on



when IE is not configured manually i am able to ping external sites and resolve to IP. but not get the ICMP packet back, as well as cant get a page to come up in IE.

trying to get this to all be transparent.
 
Old 10-25-2004, 12:20 PM   #4
tlowk
Member
 
Registered: Nov 2003
Location: Belgium
Distribution: Slackware
Posts: 184

Rep: Reputation: 36
I think you have eth0 at the internet and
eth1 to your network with an ip 192.168.1.0/24

with

tcpdump -i eth1 host 192,.168.1.3

you will see what is happening. My guess:



a pc in your network lets say 192.168.1.55 sends a packet to 212.212.122.212 (somewhere on the net)

your firewall changes the destination from 212.212.212.212 tp 192.168.1.3 (your squid)


squid receives the packet (aan the next ones also)
does its jobs makes a connection to 212.212.212.212 (from 192.168.1.3)

Then it goes wrong:

since squid know the src address 192.168.1.55 it will reply directly, instead of
returning to your firewall where the reverse action of the nat happens.

the computer 192.168.1.55 will not understand these packet since they come
from some other computer that is had no connection with



I solved it once by putting the squid on another network that way the replay had to
go throug the gateway (which is also the firewall with the dnat),

Maybe with marking the packet and do also an SNAT in the postrouting you can get
the same effect of forcing the reply through the firewall to reverse the nat



Just a wild guess but this is what I've already seen, and my solution.
(FYI you can have more ip addresses on the same network interface)
 
Old 10-25-2004, 12:35 PM   #5
xilace
LQ Newbie
 
Registered: Oct 2003
Posts: 27

Original Poster
Rep: Reputation: 15
sorry about that... yes eth0 is to the internet and eth1 is to the lan at 192.168.1.1.

as it stands right now i am setting this up for work. so right now the squid server is getting its eth0 address via DHCP from our network. then its connected to another machine that i am testing all of this on.
 
Old 10-25-2004, 01:38 PM   #6
tlowk
Member
 
Registered: Nov 2003
Location: Belgium
Distribution: Slackware
Posts: 184

Rep: Reputation: 36
can you check if my guess is correct?

the system I set up once also give address with dhcp,

The interface eth1 can have 2 address and you can still use dhcp for them
as long as the networks are disjunct, and in 1 network you need to use
the mac address to specify an ip address.

the things for dhcpd.conf (check man dhcpd.conf)

you need shared-network { } arround the subnets in dhcpd
and with this option
'deny unknown clients;'

you allow only the hosts you specify by mac addres in the subnet {} block
on this network, the others can get a dynamic address.

# some hints for the dhcpd.conf (keep a copy of the original)
shared-network .. {
subnet .... {
...
host squid {
hardware ethernet 00:30:21:23:dc:d1;
fixed-address 192.168.10.13;
}
}
}
shared-network .. {
}

maybe this can help, but first you need to know if the problem appears as
described.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Logging All Incoming / Outbound Traffic technick Linux - Security 1 10-24-2005 02:32 PM
IPCop : Limit incoming traffic to selected IPs and hostnames lothario Linux - Networking 0 01-28-2005 06:35 PM
Allow Incoming Traffic clarence1720 Mandriva 15 12-06-2004 11:26 PM
squid traffic control tarak4u Linux - Networking 0 03-17-2004 02:52 AM
Setting ip tables to block all traffic LinuxBAH Linux - Security 1 02-07-2004 06:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration