[squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

Eliezer Croitoru eliezer at ngtech.co.il
Wed Jul 19 19:47:47 UTC 2017 

Hey Walter,

Something is still missing to me about the network and network interfaces.
I need the output of:
ip a
brctl show br0

And try to apply the next iptables rules to see if it works OK for you:
http://ngtech.co.il/paste/1782/raw/

>From what I understand the proxy is just another machine in the network so the I do not understand what for the br0 and what is eth1...
If eth1 is under br0 you should not apply any rules on the eth1 and remove any ip address from eth1.
Also the FORWARD rules should not be required unless you are using the squid machine as a Gateway and from your description it's not the goal so a simple DROP all should be fine.
Also if you have followed some tutorial to setup your iptables and\or squid It will help me to see these since for squid as far as I know you don't need:
-A INPUT -d 224.0.0.0/4 -j ACCEPT

Or similar rules.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: Walter H. [mailto:Walter.H at mathemainzel.info] 
Sent: Wednesday, July 19, 2017 21:38
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

Hello Eliezer,

it is just this:

# Generated by iptables-save v1.4.7 on Wed Jul 19 20:25:22 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -p icmp -j ACCEPT
-A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT
-A INPUT -i br0 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j 
ACCEPT
-A INPUT -i eth1 -p udp -m udp --sport 32769:65535 --dport 33434:33523 
-j ACCEPT
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -i br0 -o eth1 -p udp -m udp --dport 3478 -j REJECT 
--reject-with icmp-port-unreachable
-A FORWARD -i br0 -o eth1 -p udp -m udp --dport 3544 -j REJECT 
--reject-with icmp-port-unreachable
-A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7
COMMIT
# Completed on Wed Jul 19 20:25:22 2017

Walter

On 19.07.2017 20:03, Eliezer Croitoru wrote:
> Hey Walter,
>
> Can you please paste the output of "iptables-save" for me?
> It's easier for me to read plain iptables-save then iptables -Lnv or any other format.
> Then I would be able to send you a file that you can just pull into iptables-restore which should work.
>
> And just to clear out my doubts on the scenario:
> Is the RST packets coming from the gateway(192.168.0.1) but for request from the local proxy(192.168.0.10).
> To eliminate couple things, can you test the next rule on the GW:
> Iptables -I INPUT -s 192.168.0.10 -j ACCEPT
>
> And see if it changes anything at all?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Walter H.
> Sent: Tuesday, July 18, 2017 15:29
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...
>
> Hello,
>
> my Router Box runs a CentOS 6, with the EPEL squid34 RPM package
>
> this the iptables
> <BEGIN /etc/sysconfig/iptables>
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
>
> # Allow multicast
> -A INPUT -d 224.0.0.0/4 -j ACCEPT
> -A OUTPUT -d 224.0.0.0/4 -j ACCEPT
>
> # Allow anything on the local link
> -A INPUT -i lo -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
>
> # Allow anything out on LAN
> -A OUTPUT -o br0 -j ACCEPT
> # Allow established, related packets back in -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Enable DHCP for LAN
> -A INPUT -i br0 -m udp -p udp --sport 67:68 --dport 67:68 -j ACCEPT
>
> # Enable DNS-Cache for LAN
> -A INPUT -i br0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m udp -p udp --dport 53 -j ACCEPT
>
> # Enable SSH from LAN
> -A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT
>
> # Enable HTTP/HTTPS from LAN (some gui interface) -A INPUT -i br0 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT
>
> # Enable Squid-Proxy from LAN
> -A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT
>
> # Block STUN
> -A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3478 -j REJECT # Block TEREDO -A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3544 -j REJECT
>
> # Allow Forwarding to WAN interface
> -A FORWARD -i br0 -o eth1 -j ACCEPT
> # Allow established, related packets back through -A FORWARD -i eth1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Only the lan is allowed to ping me without restriction -A INPUT -i br0 -p icmp -j ACCEPT # Else only pings with restricted icmp are allowed -A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT
>
> # Enable TRACEroute to me from LAN
> -A INPUT -i br0 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT # Enable TRACEroute to me from internet -A INPUT -i eth1 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
>
> # Log all other
> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7 -A FORWARD -j LOG  --log-prefix "IP[FWD]: " --log-level 7 -A OUTPUT -j LOG  --log-prefix "IP[OUT]: " --log-level 7
>
> COMMIT
> <END /etc/sysconfig/iptables>
>
> and these are logged entries:
> (only partial, as they are many)
>
> <BEGIN dmesg>
> [17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
> SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [17-Jul-2017; 19:49:13.590236] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
> SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [18-Jul-2017; 13:02:19.162684] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=28792 DF PROTO=TCP
> SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK FIN URGP=0 [18-Jul-2017; 13:02:19.593099] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
> DST=192.168.0.1 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=28797 DF PROTO=TCP
> SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK PSH FIN URGP=0<END dmesg>
>
> 192.168.0.1  is the router itself
> 192.168.0.10  is a VM running another squid, using the router box as parent proxy
> 192.168.0.2   is my windows box
>
> why are these packets blocked?
>
> by the way the router box has of course more interfaces a br0 (LAN) and eth1 (WAN), where can I ensure that squid only listens to the LAN IP?
>
> <BEGIN squid.conf>
> acl localnet src 192.168.0.0/24
>
> acl SSL_ports port 443
> acl Safe_ports port 80                # http
> acl Safe_ports port 21                # ftp
> acl Safe_ports port 443                # https
> acl Safe_ports port 70                # gopher
> acl Safe_ports port 1025-65535        # unregistered ports
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports
>
> http_access deny to_localhost
>
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy http_access deny all
>
> # and finally allow by default
> http_reply_access allow all
>
> # Squid normally listens to port 3128
> http_port 3128
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /var/spool/squid 16400 16 256
>
> # Leave coredumps in the first cache dir coredump_dir /var/spool/squid
>
> acl crl-mime rep_mime_type application/x-pkcs7-crl no_cache deny crl-mime
>
> icon_directory /usr/share/squid/icons
> error_directory /etc/squid/errors
>
> logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/access.log combined
>
> refresh_pattern ^ftp:                1440        20%        10080
> refresh_pattern ^gopher:        1440        0%        1440
> refresh_pattern -i (/cgi-bin/|\?) 0        0%        0
> refresh_pattern .                0        20%        4320
> <END squid.conf>
>
> Thanks,
> Walter
>

More information about the squid-users mailing list