Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Squid and IPTables... Together in harmony?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Eum-Spliffum
n00b
n00b


Joined: 07 Aug 2003
Posts: 47
PostPosted: Tue Sep 16, 2003 12:37 am    Post subject: Squid and IPTables... Together in harmony? Reply with quote
I was doing a little reading and decided to go with Squid to meet my new NATing needs. I wanted to open a few ports for this and for that.

My current IPTables consists of a single chain rule.

Code:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

root@moses squid # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABL
ISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


I went through the default configuration for Squid and to the best of my knowledge I un/commented everything I needed to, then proceeded to the access control lists (acl) and specified what I needed open and what to do with it.

After I finished I saved--started Squid--restarted iptables--only to find that it did nothing?! I'm still somewhat of an amature with firewalls and I fell I need some assistance. Thanks.
_________________
--m0ses
Back to top
View user's profile Send private message
Eum-Spliffum
n00b
n00b


Joined: 07 Aug 2003
Posts: 47
PostPosted: Tue Sep 16, 2003 12:47 am    Post subject: Reply with quote
In addition...
I noticed that in the gentoo docs, in the acl section this is entered:
acl purge method PURGE, instead of
acl CONNECT method CONNECT...

And, they're using port 3128 instead of 80 or 8080 for http_port...??
_________________
--m0ses
Back to top
View user's profile Send private message
xedx
Tux's lil' helper
Tux's lil' helper


Joined: 23 May 2003
Posts: 93
PostPosted: Tue Sep 16, 2003 3:48 am    Post subject: Reply with quote
port 3128 is a standard for proxy ports...
squid alone can block ports too...
_________________
--+//+
Back to top
View user's profile Send private message
Diorf
n00b
n00b


Joined: 05 Jun 2003
Posts: 52
Location: Paris
PostPosted: Tue Sep 16, 2003 10:10 am    Post subject: Reply with quote
just a little comment: in your current firewall config it does nothing and accept all packets from all interfaces. It's because your default policy for iptables is set to ACCEPT for all tables (it's the default). If you just want connection that are ESTABLISHED or RELATED to be accepted from eth0 (and nothing from the others interfaces) you have to do:

Code:
$ iptables -P INPUT DROP
$ iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


But it is very important that you accept all incoming traffic from lo (127.0.0.1) until it can cause your box to burn out in flames of hell (euh not that much but is very important). So just add :

Code:
$ iptables -A INPUT -i lo -j ACCEPT


Hope this can help
Back to top
View user's profile Send private message
Eum-Spliffum
n00b
n00b


Joined: 07 Aug 2003
Posts: 47
PostPosted: Tue Sep 16, 2003 2:42 pm    Post subject: Reply with quote
If only that were true in this case.
I know that's what the rule says but--that isn't the case really...

My problem is, I need around a dozen or so ports to be open for specific applications and certain file-transfer protocols. When trying to use these ports, well I can't cuz they aren't open. :wink:

I've search the forums and there isn't a real clean-cut-and-dry answer to solve this dilema. First and foremost, Squid and IPtables need to be ran concurrently correct? Okay, then with my current NAT rule for IPT I should be able to config. and run Squid however I like, but that appears not to be the case in my situation. I'm sure I forgot to do something, but I'm off to work. Any additional information would be gravy for me.

Thanks.
_________________
--m0ses
Back to top
View user's profile Send private message
grimshaw
Tux's lil' helper
Tux's lil' helper


Joined: 07 Aug 2003
Posts: 101
Location: Greensboro, NC 27403, USA, Earth
PostPosted: Tue Sep 16, 2003 7:24 pm    Post subject: Reply with quote
Did you get an error from squid?

Try this to make sure you don't have a squid acl issue:

telnet localhost 3128
GET http://www.gnu.org/ HTTP/1.0

<this should return a lot of web page stuff>

telnet yourrealipaddress 3128
GET http://www.gnu.org/ HTTP/1.0

<this should return a lot of web page stuff too>

Reply with comments on what happened.

- John
_________________
All that is necessary for the triumph of evil is that good men do nothing.
-- Edmund Burke (1729-1797)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy