[squid-users] Squid and iptables
L.P.H. van Belle
belle at bazuin.nl
Mon Feb 10 15:48:35 UTC 2020
Hai,
I'm having a squid 4.10 on Debian 10 running ( with strongswan VPN ) and ufw firewall (iptables)
Most is running fine but i still see some error and i somehow miss here what im doing wrong.
So if someone has suggestions that would be great. I see for example these lines in the UFW log.
Feb 10 15:42:21 rtd-proxy1 kernel: [14315.762249] [UFW AUDIT INVALID] IN=eth0 OUT= MAC=56:30:b7:fd:da:24:84:2b:2b:90:a5:f1:08:00 SRC=192.168.0.101 DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=22171 DF PROTO=TCP SPT=52273 DPT=8080 WINDOW=0 RES=0x00 ACK RST URGP=0
Feb 10 15:42:21 rtd-proxy1 kernel: [14315.762308] [UFW BLOCK] IN=eth0 OUT= MAC=56:30:b7:fd:da:24:84:2b:2b:90:a5:f1:08:00 SRC=192.168.0.101 DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=22171 DF PROTO=TCP SPT=52273 DPT=8080 WINDOW=0 RES=0x00 ACK RST URGP=0
Now, strange thing here is im allowing my traffic on my lan interface fully, so i dont see/get why i get these INVALID/BLOCK.
Im out of ideas, i looked to much at it, i done see it anymore.. :-(
The needed parts of my squid and iptables (ufw) setup.
ETH0 = LAN 192.168.0.1.0/24 (ip: 192.168.0.1.1/24 )
ETH1 = WAN 1.2.4.4/32
The squid part
# From squid cache.log the needed lines from a start of squid with the lines from squid.conf
# http_port localhost:3128 connection-auth=off
2020/02/10 11:44:13 kid1| Accepting HTTP Socket connections at local=[::1]:3128 remote=[::] FD 17 flags=1
# all requests for and on loclhost are trusted, so fully allowed withouth authenticationn.
# http_port 192.168.249.221:3128 intercept ( no-authentication possbible on intercept )
2020/02/10 11:44:13 kid1| Accepting NAT intercepted HTTP Socket connections at local=192.168.0.1.1:3128 remote=[::] FD 21 flags=33
# https_port 192.168.249.221:3129 intercept ssl-bump \ .. (plus the cert - key parts, not relevant this works ).
2020/02/10 11:44:13 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=192.168.0.1.1:3129 remote=[::] FD 25 flags=33
# Non-proxy aware (with authentication)
# http_port 192.168.249.221:8080
2020/02/10 11:44:13 kid1| Accepting HTTP Socket connections at local=192.168.0.1.1:8080 remote=[::] FD 29 flags=1
# http_port 192.168.249.221:8081 ssl-bump \ .. (plus the cert - key parts, not relevant this works ).
2020/02/10 11:44:13 kid1| Accepting SSL bumped HTTP Socket connections at local=192.168.0.1.1:8081 remote=[::] FD 37 flags=1
# Generated by xtables-save v1.8.2 on Mon Feb 10 15:16:26 2020
*filter
:INPUT DROP [213:54000]
:FORWARD ACCEPT [704:28436]
:OUTPUT ACCEPT [57:19155]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-reject-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-not-local - [0:0]
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -s 10.1.2.00/24 -d 192.168.0.1.0/24 -i eth1 -m policy --dir in --pol ipsec --reqid 8 --proto esp -j ACCEPT
-A FORWARD -s 192.168.0.1.0/24 -d 10.1.2.00/24 -o eth1 -m policy --dir out --pol ipsec --reqid 8 --proto esp -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-before-forward -s 192.168.0.1.0/24 -m policy --dir in --pol ipsec --proto esp -m comment --comment "IN Strongswan-IpsecPol" -j ACCEPT
-A ufw-before-forward -d 192.168.0.1.0/24 -m policy --dir out --pol ipsec --proto esp -m comment --comment "OUT Strongswan-IpsecPol" -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] "
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-skip-to-policy-forward -j ACCEPT
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-user-input -s 192.168.0.1.0/24 -j ACCEPT
-A ufw-user-input -i eth1 -p udp -m multiport --dports 500,4500 -j ACCEPT
-A ufw-user-input -d 1.2.4.4/32 -i eth1 -p esp -j ACCEPT
-A ufw-user-input -d 1.2.4.4/32 -i eth1 -p ah -j ACCEPT
-A ufw-user-input -i eth0 -p udp -m multiport --dports 80,443 -j DROP
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Mon Feb 10 15:16:26 2020
# Generated by xtables-save v1.8.2 on Mon Feb 10 15:16:26 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -m comment --comment "Squid-Intercept 443->3129" -j REDIRECT --to-ports 3129
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -m comment --comment "Squid-Intercept 80->3128" -j REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.0.1.0/24 -o eth1 -m policy --dir out --pol ipsec -m comment --comment "StrongSwan-IpsecPol-Masq eth1 " -j ACCEPT
-A POSTROUTING -s 192.168.0.1.0/24 -o eth1 -m comment --comment "IP-Masq Lan via eth1" -j MASQUERADE
COMMIT
# Completed on Mon Feb 10 15:16:26 2020
# Generated by xtables-save v1.8.2 on Mon Feb 10 15:16:26 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A FORWARD -s 192.168.0.1.0/24 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -m comment --comment "Strongswan-IpsecPol Lower MTU" -j TCPMSS --set-mss 1360
COMMIT
# Completed on Mon Feb 10 15:16:26 2020
Thanks for looking at it..
I hope someone see what im doing wrong here..
Greetz,
Louis
More information about the squid-users
mailing list