[squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

Walter H. walter.h at mathemainzel.info
Tue Jul 18 12:29:04 UTC 2017


Hello,

my Router Box runs a CentOS 6, with the EPEL squid34 RPM package

this the iptables
<BEGIN /etc/sysconfig/iptables>
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Allow multicast
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT

# Allow anything on the local link
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow anything out on LAN
-A OUTPUT -o br0 -j ACCEPT
# Allow established, related packets back in
-A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable DHCP for LAN
-A INPUT -i br0 -m udp -p udp --sport 67:68 --dport 67:68 -j ACCEPT

# Enable DNS-Cache for LAN
-A INPUT -i br0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m udp -p udp --dport 53 -j ACCEPT

# Enable SSH from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Enable HTTP/HTTPS from LAN (some gui interface)
-A INPUT -i br0 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Enable Squid-Proxy from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT

# Block STUN
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3478 -j REJECT
# Block TEREDO
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3544 -j REJECT

# Allow Forwarding to WAN interface
-A FORWARD -i br0 -o eth1 -j ACCEPT
# Allow established, related packets back through
-A FORWARD -i eth1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Only the lan is allowed to ping me without restriction
-A INPUT -i br0 -p icmp -j ACCEPT
# Else only pings with restricted icmp are allowed
-A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT

# Enable TRACEroute to me from LAN
-A INPUT -i br0 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
# Enable TRACEroute to me from internet
-A INPUT -i eth1 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT

# Log all other
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -j LOG  --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -j LOG  --log-prefix "IP[OUT]: " --log-level 7

COMMIT
<END /etc/sysconfig/iptables>

and these are logged entries:
(only partial, as they are many)

<BEGIN dmesg>
[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
[17-Jul-2017; 19:49:13.590236] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
[18-Jul-2017; 13:02:19.162684] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=28792 DF PROTO=TCP
SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK FIN URGP=0
[18-Jul-2017; 13:02:19.593099] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
DST=192.168.0.1 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=28797 DF PROTO=TCP
SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK PSH FIN URGP=0
<END dmesg>

192.168.0.1  is the router itself
192.168.0.10  is a VM running another squid, using the router box as
parent proxy
192.168.0.2   is my windows box

why are these packets blocked?

by the way the router box has of course more interfaces
a br0 (LAN) and eth1 (WAN), where can I ensure that squid only listens to
the LAN IP?

<BEGIN squid.conf>
acl localnet src 192.168.0.0/24

acl SSL_ports port 443
acl Safe_ports port 80                # http
acl Safe_ports port 21                # ftp
acl Safe_ports port 443                # https
acl Safe_ports port 70                # gopher
acl Safe_ports port 1025-65535        # unregistered ports
acl CONNECT method CONNECT

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

http_access deny to_localhost

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# and finally allow by default
http_reply_access allow all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 16400 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

acl crl-mime rep_mime_type application/x-pkcs7-crl
no_cache deny crl-mime

icon_directory /usr/share/squid/icons
error_directory /etc/squid/errors

logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined

refresh_pattern ^ftp:                1440        20%        10080
refresh_pattern ^gopher:        1440        0%        1440
refresh_pattern -i (/cgi-bin/|\?) 0        0%        0
refresh_pattern .                0        20%        4320
<END squid.conf>

Thanks,
Walter



More information about the squid-users mailing list