RE: [squid-users] Squid and Firewall on Gateway

From: Shafyx <[email protected]>
Date: Sun, 19 Dec 2004 21:30:39 -0800 (PST)

Hi Chris,

Thanks it worked.

--- Chris Robertson <crobertson@gci.com> wrote:

> Your firewall rules seem to be preventing your
> gateway from doing DNS
> lookups...
>
> Add a rule like:
>
> ## DNS Lookups
> iptables -A INPUT -p udp -i eth1 --sport 53 -d
> 192.168.192.70 -j ACCEPT
> iptables -A OUTPUT -p udp -o eth1 --dport 53 -s
> 192.168.192.70 -j ACCEPT
>
> And you should be set.
>
> Chris
>
> -----Original Message-----
> From: Shafyx [mailto:debianyx@yahoo.com]
> Sent: Wednesday, December 15, 2004 10:37 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] Squid and Firewall on Gateway
>
>
> Hello
>
>
> I have installed on my a debian machine that acts as
> a
> gateway to my lan. The job of the gateway to to
> provide a caching server for my lan as well as a
> firewall. Here is my architecture:
>
> eth1 eth0
> ADSL <---> [Gateway] <---> LAN
>
> eth1 = 192.168.192.70, eth0 = 192.168.1.1,
> LAN = 192.168.1.0/24
>
> On the Gateway, i have squid 2.5.STABLE7 and it
> authenticates all the users connecting to the
> internet. Thus, it is not a transparent proxy. I am
> also using iptables to build the firewall. Proxy
> listen on port 3128.
>
> The firewall works but for the port 3128 i don't
> know
> how to do.
>
> When i browse without activating proxy on my
> browser,
> I can surf on the internet but when i activate the
> proxy, it gives:
>
> The requested URL could not be retrieved
>
> While trying to retrieve the URL:
> http://www.yahoo.com/
>
> The following error was encountered:
>
> Unable to determine IP address from host name
> for
> www.yahoo.com
>
> The dnsserver returned:
>
> Timeout
>
> This means that:
>
> The cache was not able to resolve the hostname
> presented in the URL.
> Check if the address is correct.
>
> Your cache administrator is webmaster.
>
>
> here what access.log says:
> 1103182301.857 1 192.168.1.23 TCP_DENIED/407
> 1761
> GET http://www.yahoo.com/ - NONE/- text/html
>
>
> Here is an extract of the firewall:
> iptables -F
> iptables -F -t nat
> iptables -X
> ###Bloque tous par defaut
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> ## Les pacquets pour localhost
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> ## Traffiques illimites dans le lan
> iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j
> ACCEPT
> iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -j
> ACCEPT
>
> ## Les traffiques internes sortent avec IP Externe
> iptables -t nat -A POSTROUTING -o eth1 -s
> 192.168.1.0/24 -j SNAT --to 192.168.192.70
>
> ## Permet les pacquets de sortir du LAN
> iptables -A FORWARD -m state --state NEW,ESTABLISHED
> -i eth0 -s 192.168.1.0/24 -j ACCEPT
>
> ## Permet les pacquets de retourner vers le LAN
> ##iptables -A FORWARD -m state --state
> ESTABLISHED,RELATED -i eth1 -d 192.168.1.0/24 -j
> ACCEPT
> iptables -A FORWARD -m state --state
> ESTABLISHED,RELATED -i eth1 -s ! 192.168.1.0/24 -j
> ACCEPT
>
> ## WWW-CACHE
> iptables -A INPUT -p tcp -i eth1 --sport 3128 -d
> 192.168.192.70 -j ACCEPT
> iptables -A OUTPUT -p tcp -o eth1 -s 192.168.192.70
> --dport 3128 -j ACCEPT
>
> ## HTTP Client
> iptables -A INPUT -p tcp -i eth1 --sport 80 -d
> 192.168.192.70 -j ACCEPT
> iptables -A OUTPUT -p tcp -o eth1 --dport 80 -s
> 192.168.192.70 -j ACCEPT
>
>
>
>
> Please, could someone help me to sort the problem.
>
>
> Thanks
>
> A+
>
> S.
> --
> Shafeek Sumser
>
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - You care about security. So do we.
> http://promotions.yahoo.com/new_mail
>

                
__________________________________
Do you Yahoo!?
Dress up your holiday email, Hollywood style. Learn more.
http://celebrity.mail.yahoo.com
Received on Sun Dec 19 2004 - 22:30:50 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST