[squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...
Eliezer Croitoru
eliezer at ngtech.co.il
Wed Jul 19 18:03:43 UTC 2017
Hey Walter,
Can you please paste the output of "iptables-save" for me?
It's easier for me to read plain iptables-save then iptables -Lnv or any other format.
Then I would be able to send you a file that you can just pull into iptables-restore which should work.
And just to clear out my doubts on the scenario:
Is the RST packets coming from the gateway(192.168.0.1) but for request from the local proxy(192.168.0.10).
To eliminate couple things, can you test the next rule on the GW:
Iptables -I INPUT -s 192.168.0.10 -j ACCEPT
And see if it changes anything at all?
Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Walter H.
Sent: Tuesday, July 18, 2017 15:29
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...
Hello,
my Router Box runs a CentOS 6, with the EPEL squid34 RPM package
this the iptables
<BEGIN /etc/sysconfig/iptables>
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow multicast
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT
# Allow anything on the local link
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow anything out on LAN
-A OUTPUT -o br0 -j ACCEPT
# Allow established, related packets back in -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable DHCP for LAN
-A INPUT -i br0 -m udp -p udp --sport 67:68 --dport 67:68 -j ACCEPT
# Enable DNS-Cache for LAN
-A INPUT -i br0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m udp -p udp --dport 53 -j ACCEPT
# Enable SSH from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Enable HTTP/HTTPS from LAN (some gui interface) -A INPUT -i br0 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Enable Squid-Proxy from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT
# Block STUN
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3478 -j REJECT # Block TEREDO -A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3544 -j REJECT
# Allow Forwarding to WAN interface
-A FORWARD -i br0 -o eth1 -j ACCEPT
# Allow established, related packets back through -A FORWARD -i eth1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Only the lan is allowed to ping me without restriction -A INPUT -i br0 -p icmp -j ACCEPT # Else only pings with restricted icmp are allowed -A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT
# Enable TRACEroute to me from LAN
-A INPUT -i br0 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT # Enable TRACEroute to me from internet -A INPUT -i eth1 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
# Log all other
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7 -A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7 -A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7
COMMIT
<END /etc/sysconfig/iptables>
and these are logged entries:
(only partial, as they are many)
<BEGIN dmesg>
[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [17-Jul-2017; 19:49:13.590236] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [18-Jul-2017; 13:02:19.162684] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=28792 DF PROTO=TCP
SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK FIN URGP=0 [18-Jul-2017; 13:02:19.593099] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
DST=192.168.0.1 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=28797 DF PROTO=TCP
SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK PSH FIN URGP=0 <END dmesg>
192.168.0.1 is the router itself
192.168.0.10 is a VM running another squid, using the router box as parent proxy
192.168.0.2 is my windows box
why are these packets blocked?
by the way the router box has of course more interfaces a br0 (LAN) and eth1 (WAN), where can I ensure that squid only listens to the LAN IP?
<BEGIN squid.conf>
acl localnet src 192.168.0.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy http_access deny all
# and finally allow by default
http_reply_access allow all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 16400 16 256
# Leave coredumps in the first cache dir coredump_dir /var/spool/squid
acl crl-mime rep_mime_type application/x-pkcs7-crl no_cache deny crl-mime
icon_directory /usr/share/squid/icons
error_directory /etc/squid/errors
logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/access.log combined
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
<END squid.conf>
Thanks,
Walter
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list