[squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

Walter H. Walter.H at mathemainzel.info
Wed Jul 19 18:37:53 UTC 2017


Hello Eliezer,

it is just this:

# Generated by iptables-save v1.4.7 on Wed Jul 19 20:25:22 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -p icmp -j ACCEPT
-A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT
-A INPUT -i br0 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j 
ACCEPT
-A INPUT -i eth1 -p udp -m udp --sport 32769:65535 --dport 33434:33523 
-j ACCEPT
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -i br0 -o eth1 -p udp -m udp --dport 3478 -j REJECT 
--reject-with icmp-port-unreachable
-A FORWARD -i br0 -o eth1 -p udp -m udp --dport 3544 -j REJECT 
--reject-with icmp-port-unreachable
-A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7
COMMIT
# Completed on Wed Jul 19 20:25:22 2017

Walter

On 19.07.2017 20:03, Eliezer Croitoru wrote:
> Hey Walter,
>
> Can you please paste the output of "iptables-save" for me?
> It's easier for me to read plain iptables-save then iptables -Lnv or any other format.
> Then I would be able to send you a file that you can just pull into iptables-restore which should work.
>
> And just to clear out my doubts on the scenario:
> Is the RST packets coming from the gateway(192.168.0.1) but for request from the local proxy(192.168.0.10).
> To eliminate couple things, can you test the next rule on the GW:
> Iptables -I INPUT -s 192.168.0.10 -j ACCEPT
>
> And see if it changes anything at all?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Walter H.
> Sent: Tuesday, July 18, 2017 15:29
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...
>
> Hello,
>
> my Router Box runs a CentOS 6, with the EPEL squid34 RPM package
>
> this the iptables
> <BEGIN /etc/sysconfig/iptables>
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
>
> # Allow multicast
> -A INPUT -d 224.0.0.0/4 -j ACCEPT
> -A OUTPUT -d 224.0.0.0/4 -j ACCEPT
>
> # Allow anything on the local link
> -A INPUT -i lo -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
>
> # Allow anything out on LAN
> -A OUTPUT -o br0 -j ACCEPT
> # Allow established, related packets back in -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Enable DHCP for LAN
> -A INPUT -i br0 -m udp -p udp --sport 67:68 --dport 67:68 -j ACCEPT
>
> # Enable DNS-Cache for LAN
> -A INPUT -i br0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m udp -p udp --dport 53 -j ACCEPT
>
> # Enable SSH from LAN
> -A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT
>
> # Enable HTTP/HTTPS from LAN (some gui interface) -A INPUT -i br0 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT
>
> # Enable Squid-Proxy from LAN
> -A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT
>
> # Block STUN
> -A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3478 -j REJECT # Block TEREDO -A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3544 -j REJECT
>
> # Allow Forwarding to WAN interface
> -A FORWARD -i br0 -o eth1 -j ACCEPT
> # Allow established, related packets back through -A FORWARD -i eth1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Only the lan is allowed to ping me without restriction -A INPUT -i br0 -p icmp -j ACCEPT # Else only pings with restricted icmp are allowed -A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT
>
> # Enable TRACEroute to me from LAN
> -A INPUT -i br0 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT # Enable TRACEroute to me from internet -A INPUT -i eth1 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
>
> # Log all other
> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7 -A FORWARD -j LOG  --log-prefix "IP[FWD]: " --log-level 7 -A OUTPUT -j LOG  --log-prefix "IP[OUT]: " --log-level 7
>
> COMMIT
> <END /etc/sysconfig/iptables>
>
> and these are logged entries:
> (only partial, as they are many)
>
> <BEGIN dmesg>
> [17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
> SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [17-Jul-2017; 19:49:13.590236] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
> SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [18-Jul-2017; 13:02:19.162684] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=28792 DF PROTO=TCP
> SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK FIN URGP=0 [18-Jul-2017; 13:02:19.593099] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
> DST=192.168.0.1 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=28797 DF PROTO=TCP
> SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK PSH FIN URGP=0<END dmesg>
>
> 192.168.0.1  is the router itself
> 192.168.0.10  is a VM running another squid, using the router box as parent proxy
> 192.168.0.2   is my windows box
>
> why are these packets blocked?
>
> by the way the router box has of course more interfaces a br0 (LAN) and eth1 (WAN), where can I ensure that squid only listens to the LAN IP?
>
> <BEGIN squid.conf>
> acl localnet src 192.168.0.0/24
>
> acl SSL_ports port 443
> acl Safe_ports port 80                # http
> acl Safe_ports port 21                # ftp
> acl Safe_ports port 443                # https
> acl Safe_ports port 70                # gopher
> acl Safe_ports port 1025-65535        # unregistered ports
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports
>
> http_access deny to_localhost
>
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy http_access deny all
>
> # and finally allow by default
> http_reply_access allow all
>
> # Squid normally listens to port 3128
> http_port 3128
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /var/spool/squid 16400 16 256
>
> # Leave coredumps in the first cache dir coredump_dir /var/spool/squid
>
> acl crl-mime rep_mime_type application/x-pkcs7-crl no_cache deny crl-mime
>
> icon_directory /usr/share/squid/icons
> error_directory /etc/squid/errors
>
> logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/access.log combined
>
> refresh_pattern ^ftp:                1440        20%        10080
> refresh_pattern ^gopher:        1440        0%        1440
> refresh_pattern -i (/cgi-bin/|\?) 0        0%        0
> refresh_pattern .                0        20%        4320
> <END squid.conf>
>
> Thanks,
> Walter
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3491 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170719/d6e7485b/attachment.bin>


More information about the squid-users mailing list