| View previous topic :: View next topic |
| Author |
Message |
Korr.ban
Tux's lil' helper
Joined: 05 Jul 2004
Posts: 98
Location: Ex Inferis
|
 Posted: Sun Aug 08, 2004 11:19 pm Post subject: [ SOLVED ] Forwarding LOOP problem |
 |
|
I have the following setup:
BOX(192.168.0.1) = Firewall/router
BOX(192.168.0.2) = mail server/Proxy
My firewall that im testing this with looks like:
| Code: | echo 1 > /proc/sys/net/ipv4/ip_forward
EXT=eth0
INT=eth1
iptables -F
iptables -t nat -F
iptables -X
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -A FORWARD -s 192.168.0.2/24 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -s 192.168.0.2/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -d ! 192.168.0.0/16 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:3128
iptables -t nat -A POSTROUTING -o $INT -s 192.168.0.0/24 -d 192.168.0.2 -j SNAT --to 192.168.0.1
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INT -j ACCEPT
iptables -A INPUT -i $INT -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INT -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t nat -A PREROUTING -i $EXT -p tcp --dport 80 -j DNAT --to 192.168.0.3:3128
iptables -A INPUT -i $EXT -p icmp --icmp-type "echo-reply" -j ACCEPT
iptables -A INPUT -i $EXT -p icmp --icmp-type "destination-unreachable" -j ACCEPT
iptables -A INPUT -i $EXT -p icmp --icmp-type "time-exceeded" -j ACCEPT
iptables -A INPUT -i $EXT -p icmp -j DROP
iptables -A OUTPUT -o $EXT -p icmp --icmp-type ! "echo-request" -j DROP
iptables -A FORWARD -i $EXT -p icmp -j DROP
/etc/init.d/iptables start
/etc/init.d/iptables save
/etc/init.d/iptables stop
/etc/init.d/iptables start
echo ""
echo ""
echo "Firewall Loaded with no errors"
|
I keep getting an error when trying to access any webpage:
| Quote: | The requested URL could not be retrieved
--------------------------------------------------------------------------------
While trying to retrieve the URL: http://www.gentoo.org/
The following error was encountered:
Unable to determine IP address from host name for www.gentoo.org
The dnsserver returned:
Name Error: The domain name does not exist.
This means that:
The cache was not able to resolve the hostname presented in the URL.
Check if the address is correct.
Your cache administrator is webmaster.
|
The access.log file has this:
| Code: | 1091969800.939 4 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091969801.986 51 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091970048.740 4 192.168.0.1 TCP_MISS/503 1371 GET http://www.clamav.net/ - NONE/- text/html
1091970596.945 2 192.168.0.1 TCP_MISS/503 1371 GET http://www.clamav.net/ - NONE/- text/html
1091970598.007 2 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091970986.384 4 192.168.0.1 TCP_MISS/503 1351 GET http://google.ca/ - NONE/- text/html
1091971008.600 3 192.168.0.1 TCP_MISS/503 1351 GET http://google.ca/ - NONE/- text/html
1091971535.220 3 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091971604.374 5 192.168.0.1 TCP_MISS/503 1363 GET http://www.google.ca/ - NONE/- text/html
1091971618.229 3 192.168.0.1 TCP_MISS/503 1366 GET http://www.google.com/ - NONE/- text/html
1091972311.623 3 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091973412.442 3 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091973450.587 1 192.168.0.1 TCP_MISS/503 1377 GET http://www.pastebin.com/ - NONE/- text/html
1091973660.046 5 192.168.0.1 TCP_MISS/503 1402 POST http://forums.gentoo.org/search.php? - NONE/- text/html
1091975549.107 3 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091975815.745 2 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091975863.113 2 192.168.0.1 TCP_MISS/503 1371 GET http://www.gentoo.org/ - NONE/- text/html
1091976818.551 3 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091976821.416 873 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091976840.227 323 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091976841.312 77 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091976849.586 2 192.168.0.1 TCP_MISS/503 1371 GET http://www.gentoo.org/ - NONE/- text/html
1091976851.523 979 192.168.0.1 TCP_MISS/503 1371 GET http://www.gentoo.org/ - NONE/- text/html
1091976985.458 4 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091976987.837 382 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091976991.964 2 192.168.0.1 TCP_MISS/503 1377 GET http://www.slashdot.org/ - NONE/- text/html
1091977233.993 3 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091977254.608 3 192.168.0.1 TCP_MISS/503 1363 GET http://www.google.ca/ - NONE/- text/html
1091977341.940 3 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091977605.646 4 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html |
Cache.log
| Code: | 2004/08/08 05:59:45| Starting Squid Cache version 2.5.STABLE6 for i586-pc-linux-gnu...
2004/08/08 05:59:45| Process ID 1821
2004/08/08 05:59:45| With 1024 file descriptors available
2004/08/08 05:59:45| Performing DNS Tests...
2004/08/08 05:59:45| Successful DNS name lookup tests...
2004/08/08 05:59:45| DNS Socket created at 0.0.0.0, port 1032, FD 4
2004/08/08 05:59:45| Adding nameserver 192.168.0.1 from /etc/resolv.conf
2004/08/08 05:59:45| Unlinkd pipe opened on FD 9
2004/08/08 05:59:45| Swap maxSize 102400 KB, estimated 7876 objects
2004/08/08 05:59:45| Target number of buckets: 393
2004/08/08 05:59:45| Using 8192 Store buckets
2004/08/08 05:59:45| Max Mem size: 8192 KB
2004/08/08 05:59:45| Max Swap size: 102400 KB
2004/08/08 05:59:45| Rebuilding storage in /usr/local/squid/var/cache (CLEAN)
2004/08/08 05:59:45| Using Least Load store dir selection
2004/08/08 05:59:45| Current Directory is /usr/local/squid
2004/08/08 05:59:45| Loaded Icons.
2004/08/08 05:59:45| Accepting HTTP connections at 0.0.0.0, port 3128, FD 10.
2004/08/08 05:59:45| Accepting ICP messages at 0.0.0.0, port 3130, FD 11.
2004/08/08 05:59:45| WCCP Disabled.
2004/08/08 05:59:45| Ready to serve requests.
2004/08/08 05:59:46| Done scanning /usr/local/squid/var/cache swaplog (0 entries)
2004/08/08 05:59:46| Finished rebuilding storage from disk.
2004/08/08 05:59:46| 0 Entries scanned
2004/08/08 05:59:46| 0 Invalid entries.
2004/08/08 05:59:46| 0 With invalid flags.
2004/08/08 05:59:46| 0 Objects loaded.
2004/08/08 05:59:46| 0 Objects expired.
2004/08/08 05:59:46| 0 Objects cancelled.
2004/08/08 05:59:46| 0 Duplicate URLs purged.
2004/08/08 05:59:46| 0 Swapfile clashes avoided.
2004/08/08 05:59:46| Took 0.6 seconds ( 0.0 objects/sec).
2004/08/08 05:59:46| Beginning Validation Procedure
2004/08/08 05:59:46| Completed Validation Procedure
2004/08/08 05:59:46| Validated 0 Entries
2004/08/08 05:59:46| store_swap_size = 0k
2004/08/08 05:59:46| storeLateRelease: released 0 objects
|
Any ideas as to what im doing wrong?
Thank you.
_________________
Registered Linux User #375052
DevShell - Viva La Revolusion!
Last edited by Korr.ban on Mon Aug 09, 2004 5:19 pm; edited 1 time in total |
|
| Back to top |
|
 |
sf_alpha
Tux's lil' helper
Joined: 19 Sep 2002
Posts: 136
Location: Bangkok, TH
|
| Posted: Sun Aug 08, 2004 11:45 pm Post subject: |
|
|
Check your proxy server an access external websites
wget -O - www.gentoo.org or something
I think this lines cause NAT loop from your proxy
| Code: |
iptables -t nat -A PREROUTING -d ! 192.168.0.0/16 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:3128
|
you need additional line before, you must exclude proxy server
from DNAT
Are your mask wrong ? 192.168.0.2/24 <--- ?
try use this instead
| Code: |
iptables -t nat -A PREROUTING -s 192.168.2.0 -j ACCEPT
iptables -t nat -A PREROUTING -d ! 192.168.0.0/16 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:3128
|
I'm not sure about this solutions. Hope it works for u 
_________________
Gentoo Mirrors in Thailand (and AP)
http://gentoo.in.th |
|
| Back to top |
|
|
Korr.ban
Tux's lil' helper
Joined: 05 Jul 2004
Posts: 98
Location: Ex Inferis
|
| Posted: Mon Aug 09, 2004 12:35 am Post subject: |
|
|
| sf_alpha wrote: | Check your proxy server an access external websites
wget -O - www.gentoo.org or something
I think this lines cause NAT loop from your proxy
|
I cant access the net from the proxy through lynx. Thats why I need to somehow clear a path for the proxy to go through firewall. Im checking your changes in the code right now.
_________________
Registered Linux User #375052
DevShell - Viva La Revolusion! |
|
| Back to top |
|
|
Korr.ban
Tux's lil' helper
Joined: 05 Jul 2004
Posts: 98
Location: Ex Inferis
|
| Posted: Mon Aug 09, 2004 12:49 am Post subject: |
|
|
Here is the new Proxy forward code:
| Code: | iptables -A FORWARD -s 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -d ! 192.168.0.0/16 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:3128
iptables -t nat -A POSTROUTING -o $INT -s 192.168.0.0/24 -d 192.168.0.2 -j SNAT --to 192.168.0.1
|
It didnt change anything except that I can now access the internet from the Proxy through Lynx.
_________________
Registered Linux User #375052
DevShell - Viva La Revolusion! |
|
| Back to top |
|
|
Korr.ban
Tux's lil' helper
Joined: 05 Jul 2004
Posts: 98
Location: Ex Inferis
|
|
| Back to top |
|
|
|
Networking & Security
