Okay, lets give this another try... I, after reading this again, realized that you are probably not trying to do transparent proxying. That is fine. However, you have the weirdest firewall script I have seen in a while. You problem is that you are trying to use this "--source-port 1024:65535" in your rules. This is binding to all ports from 1024 to 65535, and thus disallowing squid to bind to its normal port(probably 3128). Hence you are having this problem. I would suggest that you use a simpler firewall script without all of these "--source-port 1024:65535" things in it, unless you know exactly why you are using them.
- Caleb. Caleb Jorden wrote: >Try running "netstat -nlp --inet" as root and see what process is >binding to port 80. BTW, I have done a similar thing with firewalling >before, and used DNAT instead of SNAT, and it took about 4 lines of >firewalling code. Let me know if you would like to see how I did it. > >- Caleb > > >Navneet wrote: > > >>hi list, >> >>i require further co-operation from yours side. >> >>Squid Server is serving as Proxy server, Gateway & Firewall >> >>Problem: >>Squid daemon dies at startup. >> >>Here is log output of /var/log/messages >> >>Feb 12 09:15:25 squid squid[3652]: Squid Parent: child process 3654 >started >>Feb 12 09:15:25 squid (squid): Cannot open HTTP Port >>Feb 12 09:15:29 squid squid[3720]: Squid Parent: child process 3722 >>exited due to signal 6 >>Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 >started >>Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 >>exited with status 1 >>Feb 12 09:15:33 squid (squid): Cannot open HTTP Port >> >>Why my iptables rule blocking squid to open HTTP port. >> >>Note: existing rule being attached at the end of mail >> >>Since, process will not die if I disable/flush my rules? >> >>Squid being started from /etc/rc.local >> >>Where i am doing mistakes? >> >>Please suggest since its causing startup hiccup >> >>Thanks & regards, >> >>Navneet Choudhary >> >> >> >>Updates & quick recap >> >>1.> Basically I want clients to be able to : >> >> a). Send and receives mails from mail.ISP.net [X.X.X.X] and >>sometimes from X.X.X.X >>Status: Working >>b). Browse the net through squid [3128] >>Status: Working >> >>c). Use Jabber [??], MSN [1863] and Yahoo [5050] >>Status: Working >> >>d) Down and upload data using ftp from X.X.X.X & X.X.X.X >>Status: Working >>e) Down and upload data using SONICMQ [IP & Port?] >> >>Status: Require HELP >>e) Allow SSH connection to this system [eth0]. >>Status: Working >>f) We can ping/trace route by domain name i.e. ping yahoo.com >>Status: Working >> >>2.What i am using? >> >>My network configuration is as follows: - >> >> WAN >> | >> eth1 >> (172.21.0.133/28) >> | >> | >> Red Hat 9 >>[Squid Proxy, Gateway ,firewall & FTP] >> | >> | >> | >> (192.168.0.0/16) >> eth0 >> | >>---- SWITCH---------- >> | >> | >> | >> LAN >> >>where:- >>eth0-Intel Corp. 82557/8/9 [Ethernet Pro 100] >>eth1-Broadcom Corporation NetXtreme BCM5702 Gigabit Ethernet >> >>Kernel 2.4.20-8 >> >>iptables v1.2.7a >> >>3.What I have done:- >> >>a)Enabled IP forwarding by adding >>vi /etc/sysctl.conf >> >> # Controls IP packet forwarding >>net.ipv4.ip_forward = 1 >> >>b)Automatic loading of modules by adding >>vi /etc/rc.local >> >>/sbin/insmod ip_nat_ftp >>/sbin/insmod ip_conntrack_ftp >> >>b)Firewall rules as follows:- >># Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005 >>*mangle >>:PREROUTING ACCEPT [1308:428675] >>:INPUT ACCEPT [1308:428675] >>:FORWARD ACCEPT [0:0] >>:OUTPUT ACCEPT [1273:553710] >>:POSTROUTING ACCEPT [1273:553710] >>-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG >>FIN,PSH,URG -j DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j >DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG >>FIN,PSH,URG -j DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j >DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG >>FIN,PSH,URG -j DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j >DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG >>FIN,PSH,URG -j DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j >DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP >>-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP >>COMMIT >># Completed on Thu Feb 10 20:02:43 2005 >># Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005 >>*nat >>:PREROUTING ACCEPT [10233:846887] >>:POSTROUTING ACCEPT [71:4821] >>:OUTPUT ACCEPT [67:4688] >>-A POSTROUTING -s 133.147.0.0/255.255.0.0 -o eth1 -j SNAT --to-source >>172.21.0.132 >>COMMIT >># Completed on Thu Feb 10 20:02:43 2005 >># Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005 >>*filter >>:INPUT DROP [0:0] >>:FORWARD DROP [0:0] >>:OUTPUT DROP [0:0] >>-A INPUT -s 127.0.0.1 -j ACCEPT >>-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >>-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 3128 >>--tcp-flags SYN,RST,ACK SYN -j ACCEPT >>-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22 >>--tcp-flags SYN,RST,ACK SYN -j ACCEPT >>-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 21 >>--tcp-flags SYN,RST,ACK SYN -j ACCEPT >>-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 20 >>--tcp-flags SYN,RST,ACK SYN -j ACCEPT >>-A INPUT -p udp -j DROP >>-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP >>-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT >>-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT >>-A FORWARD -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 >-j ACCEPT >>-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 25 >>--tcp-flags SYN,RST,ACK SYN -j ACCEPT >>-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport >>110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT >>-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 >-j ACCEPT >>-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 20 >-j ACCEPT >>-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport >>1863 --tcp-flags SYN,RST,ACK SYN -j ACCEPT >>-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport >>5050 --tcp-flags SYN,RST,ACK SYN -j ACCEPT >>-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT >>-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >>-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT >>-A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 80 >>--tcp-flags SYN,RST,ACK SYN -m owner --uid-owner squid -j ACCEPT >>-A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 443 >>--tcp-flags SYN,RST,ACK SYN -m owner --uid-owner squid -j ACCEPT >>-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT >>COMMIT >># Completed on Thu Feb 10 20:02:43 2005 > >----------------------------------------------------------------- >To get off this list, send email to [EMAIL PROTECTED] >with Subject: unsubscribe >----------------------------------------------------------------- > > ----------------------------------------------------------------- To get off this list, send email to [EMAIL PROTECTED] with Subject: unsubscribe -----------------------------------------------------------------
