Try running "netstat -nlp --inet" as root and see what process is binding to port 80. BTW, I have done a similar thing with firewalling before, and used DNAT instead of SNAT, and it took about 4 lines of firewalling code. Let me know if you would like to see how I did it.
- Caleb Navneet wrote: >hi list, > >i require further co-operation from yours side. > >Squid Server is serving as Proxy server, Gateway & Firewall > >Problem: >Squid daemon dies at startup. > >Here is log output of /var/log/messages > >Feb 12 09:15:25 squid squid[3652]: Squid Parent: child process 3654 started >Feb 12 09:15:25 squid (squid): Cannot open HTTP Port >Feb 12 09:15:29 squid squid[3720]: Squid Parent: child process 3722 >exited due to signal 6 >Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 started >Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 >exited with status 1 >Feb 12 09:15:33 squid (squid): Cannot open HTTP Port > >Why my iptables rule blocking squid to open HTTP port. > >Note: existing rule being attached at the end of mail > >Since, process will not die if I disable/flush my rules? > >Squid being started from /etc/rc.local > >Where i am doing mistakes? > >Please suggest since its causing startup hiccup > >Thanks & regards, > >Navneet Choudhary > > > >Updates & quick recap > >1.> Basically I want clients to be able to : > > a). Send and receives mails from mail.ISP.net [X.X.X.X] and >sometimes from X.X.X.X >Status: Working >b). Browse the net through squid [3128] >Status: Working > >c). Use Jabber [??], MSN [1863] and Yahoo [5050] >Status: Working > >d) Down and upload data using ftp from X.X.X.X & X.X.X.X >Status: Working >e) Down and upload data using SONICMQ [IP & Port?] > >Status: Require HELP >e) Allow SSH connection to this system [eth0]. >Status: Working >f) We can ping/trace route by domain name i.e. ping yahoo.com >Status: Working > >2.What i am using? > >My network configuration is as follows: - > > WAN > | > eth1 > (172.21.0.133/28) > | > | > Red Hat 9 >[Squid Proxy, Gateway ,firewall & FTP] > | > | > | > (192.168.0.0/16) > eth0 > | >---- SWITCH---------- > | > | > | > LAN > >where:- >eth0-Intel Corp. 82557/8/9 [Ethernet Pro 100] >eth1-Broadcom Corporation NetXtreme BCM5702 Gigabit Ethernet > >Kernel 2.4.20-8 > >iptables v1.2.7a > >3.What I have done:- > >a)Enabled IP forwarding by adding >vi /etc/sysctl.conf > > # Controls IP packet forwarding >net.ipv4.ip_forward = 1 > >b)Automatic loading of modules by adding >vi /etc/rc.local > >/sbin/insmod ip_nat_ftp >/sbin/insmod ip_conntrack_ftp > >b)Firewall rules as follows:- ># Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005 >*mangle >:PREROUTING ACCEPT [1308:428675] >:INPUT ACCEPT [1308:428675] >:FORWARD ACCEPT [0:0] >:OUTPUT ACCEPT [1273:553710] >:POSTROUTING ACCEPT [1273:553710] >-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG >FIN,PSH,URG -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG >FIN,PSH,URG -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG >FIN,PSH,URG -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG >FIN,PSH,URG -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP >-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP >COMMIT ># Completed on Thu Feb 10 20:02:43 2005 ># Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005 >*nat >:PREROUTING ACCEPT [10233:846887] >:POSTROUTING ACCEPT [71:4821] >:OUTPUT ACCEPT [67:4688] >-A POSTROUTING -s 133.147.0.0/255.255.0.0 -o eth1 -j SNAT --to-source >172.21.0.132 >COMMIT ># Completed on Thu Feb 10 20:02:43 2005 ># Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005 >*filter >:INPUT DROP [0:0] >:FORWARD DROP [0:0] >:OUTPUT DROP [0:0] >-A INPUT -s 127.0.0.1 -j ACCEPT >-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 3128 >--tcp-flags SYN,RST,ACK SYN -j ACCEPT >-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22 >--tcp-flags SYN,RST,ACK SYN -j ACCEPT >-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 21 >--tcp-flags SYN,RST,ACK SYN -j ACCEPT >-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 20 >--tcp-flags SYN,RST,ACK SYN -j ACCEPT >-A INPUT -p udp -j DROP >-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP >-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT >-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT >-A FORWARD -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT >-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 25 >--tcp-flags SYN,RST,ACK SYN -j ACCEPT >-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport >110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT >-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT >-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 20 -j ACCEPT >-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport >1863 --tcp-flags SYN,RST,ACK SYN -j ACCEPT >-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport >5050 --tcp-flags SYN,RST,ACK SYN -j ACCEPT >-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT >-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT >-A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 80 >--tcp-flags SYN,RST,ACK SYN -m owner --uid-owner squid -j ACCEPT >-A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 443 >--tcp-flags SYN,RST,ACK SYN -m owner --uid-owner squid -j ACCEPT >-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT >COMMIT ># Completed on Thu Feb 10 20:02:43 2005 ----------------------------------------------------------------- To get off this list, send email to [EMAIL PROTECTED] with Subject: unsubscribe -----------------------------------------------------------------
