Tux

...making Linux just a little more fun!

IPTables + Squid problem

Deividson Okopnik [deivid.okop at gmail.com]


Tue, 9 Nov 2010 12:43:04 -0300

Hello everyone

My old internet server crashed and i had to setup a new one, and im having several problems.

My squid configuration is pretty simple, I basically allow everything:

Allow manager localhost 	
Deny manager 	
Allow purge localhost 	
Deny purge 	
Allow localhost 	
Allow all

And my iptables config file is empty (exists but is empty - /etc/network/iptables)

And msn doesnt work on the machines behind the proxy, and noone can atach files to emails - im guessing no ports are being forwarded (cause of the empty iptables file) but if I put content in it, eg.:

#!/bin/bash
iptables -F
and do an sudo iptables-apply, it gives me an "line 2 failed - failed" - what am I doing wrong? btw im on ubuntu 10.04, and allowing any outgoing connection to any port would be good enough, later Ill think about the security.


Top    Back


Deividson Okopnik [deivid.okop at gmail.com]


Tue, 9 Nov 2010 14:27:29 -0200

2010/11/9 Deividson Okopnik <deivid.okop at gmail.com>:

> Hello everyone
> and do an sudo iptables-apply, it gives me an "line 2 failed - failed"
> - what am I doing wrong? btw im on ubuntu 10.04, and allowing any
> outgoing connection to any port would be good enough, later Ill think
> about the security.
>

Ok, now I messed a bit with iptables and managed to get the following rules up:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:3128
ACCEPT     all  --  anywhere             anywhere
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:msnp
ACCEPT     all  --  anywhere             anywhere
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
still no msn working, but emails are ataching ok (squid config still the same) is there anywhere i can see why a connection is being refused?


Top    Back


Francis Daly [francis at daoine.org]


Tue, 9 Nov 2010 16:38:34 +0000

On Tue, Nov 09, 2010 at 12:43:04PM -0300, Deividson Okopnik wrote:

Hi there,

> My old internet server crashed and i had to setup a new one, and im
> having several problems.

Ouch.

From your description, there seems to be multiple potential problems. Hopefully the hints here will help you sort the important ones quickly.

> My squid configuration is pretty simple, I basically allow everything:
> Allow manager localhost 	
> Deny manager 	
> Allow purge localhost 	
> Deny purge 	
> Allow localhost 	
> Allow all

And does that allow someone using the proxy server to browse the web? If so, yay, that much is working. If not, that's something that will need fixing.

You probably know this already, but just to spell it out for anyone new following along:

You must have networking set up correctly before the applications can work.

For squid (or any proxy service), the clients talk to the proxy, and the proxy talks to the world. That's two different networking setups. A third one, which you may also want, is for the clients to talk to the world.

On the squid box, can you access the world? Ping a well-known public server by IP address. (I suggest 8.8.8.8, because it's easy to remember. But that's not my address, so don't unintentionally dos-attack it.) If that doesn't work, stop worrying about applications and do whatever it takes to make it work. (Or understand that ping is blocked on your network, but things you actually need are allowed, so test with one of those things instead.)

When it does work, try an expected-to-work http GET -- pick a url and use "curl" or "wget" to fetch it. When that works (by now you've got DNS working too, hurray), you can expect that squid will be able to fulfil any request it gets. The proxy can talk to the world.

So now ensure that the clients can talk to the proxy server. On the client, "telnet squid-server squid-port", and do something like "GET / HTTP/1.0" followed by two returns. It's an invalid request (it must have an indication of which host is wanted), but that's OK: all you want to see is that you could connect, and that squid returned some kind of message.

If you don't see that, then you'll need to find why: can the client not route to squid? Can the client not send traffic out? Can squid not get traffic in? Can squid not route back to the client?

(If this was a fully-working network that had one machine fail, then just restoring that machine should be sufficient. If this "internet server" was also the dhcp server, then you'll want to put that back first, so that the clients get the right network information.)

> And my iptables config file is empty (exists but is empty -
> /etc/network/iptables)
> 
> And msn doesnt work on the machines behind the proxy,

I don't know msn: if it works through a http proxy, then when squid is working, it should work too. If it doesn't proxy, but instead works through a NAT gateway, then (assuming that your internet server is the NAT gateway of your network) you'll need to enable that too. That is "the clients must access the world".

https://help.ubuntu.com/10.04/serverguide/C/firewall.html seems to have useful details.

> and noone can atach files to emails

By itself, that report is surprising. The unstated "people can send emails without attachments" is particularly odd, since SMTP doesn't care about attachments. If SMTP allows a mail be sent, it allows a mail be sent.

Unless you're not using SMTP?

> - im guessing no ports are being forwarded

In general, ports don't need to be forwarded. Unless you're running a public-facing service here. Oh, you said "internet server". Is this for "lan users to get access to the world", or "world users to get access to something on the lan"? The setup will differ.

Good luck with it,

f

-- 
Francis Daly        francis at daoine.org


Top    Back


Francis Daly [francis at daoine.org]


Tue, 9 Nov 2010 16:51:50 +0000

On Tue, Nov 09, 2010 at 02:27:29PM -0200, Deividson Okopnik wrote:

Hi there,

> Ok, now I messed a bit with iptables and managed to get the following rules up:
> $ sudo iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:3128
> ACCEPT     all  --  anywhere             anywhere
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:msnp
> ACCEPT     all  --  anywhere             anywhere
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination

I'm confused as to what your network is supposed to look like.

Could you draw a picture?

I think you've said that clients can talk to the proxy server, and the proxy server can talk to the world, but clients can't talk to the world (using the proxy server as their gateway).

If that is the case, then enabling ip_forward and adding an "iptables -t nat -j MASQUERADE" rule on the proxy server may be an adquate start -- see the ubuntu firewall documentation from the previous mail for ways to do that.

> still no msn working, but emails are ataching ok (squid config still the same)
> is there anywhere i can see why a connection is being refused?

Guessing, things below /var/log.

I'd probably also try a tcpdump on each interface, to see how far traffic is getting. But I'd try to understand exactly what should be happening first, so that I'd be able to interpret whatever logs I did see.

Good luck with it,

f

-- 
Francis Daly        francis at daoine.org


Top    Back