Well, apparently not resolved, remove the DROP rules and checks to resolve the workstations with apt-get update, I recommend you do not work with interfaces because you can confuse, would this be something basic
for u in INPUT FORWARD OUTPUT; do iptables -A $u -m state --state RELATED,ESTABLISHED -j ACCEPT; done LAN=192.168.100.0/24 IPSQUID=192.168.100.2 iptables -N PERMITS-SQUID iptables -N PERMITS-SSH iptables -N PERMITS-DNS iptables -N PERMITIS-WEB iptables -N PERMITIS-WEB-SSL iptables -A PREROUTING -s $LAN -p tcp -m tcp --dport 80 -j DNAT --to-destination $IPSQUID:3128 iptables -A INPUT -p tcp -m tcp --dport 3128 -j PERMITS-SQUID iptables -A INPUT -p tcp -m tcp --dport 22 -j PERMITS-SSH iptables -A FORWARD -p udp -m udp --dport 53 -j PERMITS-DNS iptables -A FORWARD -p tcp -m tcp --dport 80 -j PERMITIS-WEB iptables -A FORWARD -p tcp -m tcp --dport 443 -j PERMITIS-WEB-SSL iptables -A OUTPUT -p udp -m udp --dport 53 -j PERMITS-DNS iptables -A OUTPUT -p tcp -m tcp --dport 80 -j PERMITIS-WEB iptables -A PERMITS-SSH -d $IPSQUID -p tcp -m tcp --sport 1024: --dport 22 -m state --state NEW -j ACCEPT -m comment --comment "SSH INPUT" " here could be more strictly tied by the mac of each workstation" iptables -A PERMITS-SQUID -s $LAN -d 192.168.100.2 -p tcp -m tcp --sport 1024: --dport 3128 -m state --state NEW -j ACCEPT iptables -A PERMITS-DNS -s $LAN -p udp -m udp --dport 53 -j ACCEPT iptables -A PERMITIS-WEB -s $LAN -p tcp -m tcp --sport 1024: --dport 80 -m state --state NEW -j ACCEPT iptables -A PERMITIS-WEB-SSL -s $LAN -p tcp -m tcp --sport 1024: --dport 443 -m state --state NEW -j ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP -----Mensaje original----- De: Joakim Seeberg [mailto:[email protected]] Enviado el: lunes, 08 de noviembre de 2010 06:25 p.m. Para: [email protected] Asunto: apt fails behind tranparent proxy Hi, I have a debian lenny server that i use ass transparent proxy with webfilter. For this i use an iptables script, squid3 and squidguard. With lenny worstations apt-get update often fails but this never happens with squeeze workstations. All worstations get ipaddress and dns from dhcp server. The transparent proxy works as expected when browsing. The iptables script is from a howto so my question is if anything in the script explains the apt-get behavior. The apt-get update errors are (from memory): could not resolve "debian-mirror-hostname" could not download "debian-mirror-hostname" Release.gpg The sources.list contains several mirrors (backports, multimedia, security,,,) but only some fails but not the same everytime i run apt-get update. #!/bin/sh # squid server IP SQUID_SERVER="192.168.1.1" # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client #modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected] __________ InformaciĆ³n de ESET NOD32 Antivirus, versiĆ³n de la base de firmas de virus 5602 (20101108) __________ ESET NOD32 Antivirus ha comprobado este mensaje. http://www.eset.com -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
