Thursday, August 02, 2007

Re: Iptables + Squid

On 2007-08-02 Harlei Liguori wrote:
> 2007/8/2, Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>:
>> On 2007-08-02 Harlei Liguori wrote:
>>> i'm trying to config the iptables rules on a server running squid,
>>> but, i dunno how to do it...
>>
>> One way would be to start by reading those fine manuals.
>>
>> http://www.tldp.org/HOWTO/Firewall-HOWTO.html
>> http://www.tldp.org/HOWTO/TransparentProxy.html
>>
>>> my squid proxy is running on the porta 3128... i tryed to allow the
>>> tcp porta 3128 and drop all other ports, but it does not work... i
>>> was thinking about the name resolution, then, i must allow the
>>> correct port, but i dunno which... and i dunno if i need allow other
>>> ports to config this firewall on this proxy server... can someone
>>> help me to do it?
>>
>> Another way would be to post your current ruleset, so people could
>> hazard a guess about where you went wrong.

First of all: don't top-post. I fixed your quoting this time, I will not
reply to another top-post.

> My current rule set test is:
>
> #!/bin/bash
>
> ### Libera rede interna ###
> iptables -A INPUT -s 10.15.192.0/22 -p tcp --dport 3128 -j ACCEPT
>
> ### Libera acesso SSH ###
> iptables -A INPUT -s 10.15.192.7 -p tcp --dport 22 -j ACCEPT
>
> ### Bloqueia demais acessos ###
> iptables -A INPUT -j DROP
> iptables -A FORWARD -j DROP
>
> it is only to try allow the access on tcp port 3128 and the ssh port
> 22 and drop all other ports, but, it does not work...

Your ruleset is very incomplete, to say the least. Also that's not the
rules currently active on your system (you get those by issuing the
command "iptables -nL").

- You don't set default policies.
- You don't delete user-defined chains.
- You don't clear the default chains.

Start with this:

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -X
iptables -F

These five lines will bring the packetfilter (the "filter" table, to be
precise) to a well-defined state from where you can start building your
ruleset.

Next add the access rules. You may want to specify the interface as well
as use stateful filtering.

iptables -A INPUT -i $INT_IF -p tcp -s 10.15.192.0/22 --dport 3128 \
-m state --state NEW -j ACCEPT
iptables -A INPUT -i $INT_IF -p tcp -s 10.15.192.7 --dport 22 \
-m state --state NEW -j ACCEPT

Outgoing traffic related to these connections is already covered by the
default policy of the OUTPUT chain (ACCEPT).

As Bart-Jan already mentioned, you may want to allow certain ICMP types,
and you definitely should allow inbound RELATED traffic (e.g. for DNS):

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Do you want the box to be a transparent proxy? If so: read the HOWTOs I
mentioned before. It's all covered there.

Should the box do IP-forwarding, too (i.e. be a router for your LAN)?

Regards
Ansgar Wiechers
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment