Search This Blog

Thursday, July 07, 2005

Re: Re: Iptables, Squid.

I dont know what is the connection tracking. I just saw in another questions-reply and i set it up but it didnt help.
Do you know what ports should i enabled for the squid???? This is my main problem. Nobody using his firewall with proxy in the same time in same pc?

>
> feladó: garana@uolsinectis.com.ar
> dátum: 2005/07/06 Wed PM 05:53:49 CEST
> címzett: z.varady@chello.hu
> tárgy: Re: Re: Iptables, Squid.
>
>
> Looks like your squid is up (it generates the error message you see on
> IE). If I were you, I would try using 'telnet www.google.com 80' on
> your machine named FIREWALL, and see tcpdump/ethereal/tethereal's
> output. From there it would be quite easy to see where the problem is.
>
> As far as I can tell, you must have connection tracking enabled if you
> are going to use -m state --state blah. Are you using connection
> tracking?
>
> Regards,
>
> --
> Gonzalo A. Arana
> Coordinador de Planificacion y Desarrollo
> UOL Sinectis S.A.
> Florida 537 piso 6
> C1005AAK - Buenos Aires
> http://www.uolsinectis.com.ar/
>
>
>
> Citado por z.varady@chello.hu:
>
> > This is the error message in IExplorer
> > --------------------------------------------------
> > ERROR
> > The requested URL could not be retrieved
> >
> >
> >
> > While trying to retrieve the URL: http://www.google.com/
> >
> > The following error was encountered:
> >
> > Connection Failed
> > The system returned:
> >
> > (110) Connection timed outThe remote host or network may be down.
> > Please try the request again.
> >
> > Your cache administrator is zvarady@corinthia.hu.
> >
> >
> >
> > Generated Wed, 06 Jul 2005 12:40:41 GMT by FIREWALL (squid/2.5.STABLE9)
> >
> > -----------------------------------------------------------
> >
> > This is my iptables chain list
> > ----------------------------------------------------------
> > # Generated by iptables-save v1.2.11 on Wed Jul 6 14:49:51 2005
> > *nat
> > :PREROUTING ACCEPT [3673:754201]
> > :POSTROUTING ACCEPT [72:4099]
> > :OUTPUT ACCEPT [45:3030]
> > COMMIT
> > # Completed on Wed Jul 6 14:49:51 2005
> > # Generated by iptables-save v1.2.11 on Wed Jul 6 14:49:51 2005
> > *filter
> > :INPUT DROP [5503:490890]
> > :FORWARD DROP [44:2136]
> > :OUTPUT DROP [118:10656]
> > :ipac~fi - [0:0]
> > :ipac~fo - [0:0]
> > :ipac~i - [0:0]
> > :ipac~o - [0:0]
> > -A INPUT -i 127.0.0.1 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 53 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
> > -A INPUT -p tcp -m tcp --sport 3128 -j ACCEPT
> > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -p tcp -m tcp --sport 3130 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 3130 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 3130 -j ACCEPT
> > -A FORWARD -p tcp -m tcp --sport 80 -j ACCEPT
> > -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
> > -A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
> > -A FORWARD -p udp -m udp --dport 53 -j ACCEPT
> > -A OUTPUT -o 127.0.0.1 -j ACCEPT
> > -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
> > -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
> > -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > COMMIT
> > # Completed on Wed Jul 6 14:49:51 2005
> > ---------------------------------------------------------
> >
> > I enabled all the traffic fog the firewall himself and it is working
> > now but in this way the firewall is not firewall for the firewall
> > just for LAN. Because there is no chains on it just on the network.
> >
> >
> >
> >
> >>
> >> feladó: garana@uolsinectis.com.ar
> >> dátum: 2005/07/06 Wed PM 02:27:08 CEST
> >> címzett: z.varady@chello.hu
> >> tárgy: Re: Iptables, Squid.
> >>
> >>
> >> Hi,
> >>
> >> I guess this is a question for either netfilter-users or squid-users.
> >>
> >> Anyway, you should post the exact error message you are getting; and
> >> your netfilter configuration (with your real ip addresses stripped)
> >> would be useful to give you any pointers. I guess you are running
> >> iptables and squid in the same machine.
> >>
> >> Squid may complain if it can't resolv it's hostname. Usually this is
> >> fixed by modifying /etc/hosts (at least in linux). This is the format
> >> I use:
> >>
> >> 1.1.1.1 full.host.name short
> >> 127.0.0.1 localhost.localdomain localhost
> >>
> >> where 1.1.1.1 should be your eth0's ip address. If you have more than
> >> one interface, all ip addresses should be listed in /etc/hosts.
> >>
> >> Hope this helps,
> >>
> >> Gonzalo Arana
> >>
> >> Citado por z.varady@chello.hu:
> >> >
> >> >
> >> > Hi all!
> >> >
> >> > What should I do how the squid and the iptables work together.
> >> > &#@?^????`~???´>;*
> >> > If i turn of the Squid the net working properly with the iptables
> >> > chains. If i turn on the squid it is down then and there is an error
> >> > message how cant resolve the IP. I think there is a built in DNS
> >> > program in the squid or something what can communicate with the world
> >> > because of the Iptables what has got a DROP default value.
> >> > What ports should i enable in the iptables for the squid? I already
> >> > enabled the 53 tcp and dns to the DNS Query and it is working
> >> > properly under win. I already enabled the 3128 port too. But it isnt
> >> > working.
> >> > Could somebody help?
> >> >
> >> > Zozo.
> >> >
> >> >
> >> > --
> >> > To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> >> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.deb
> ian
> >> .org
> >> >
> >> >
> >> >
> >>
> >>
> >>
> >
>
>
>

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: