Hello Eliezer, it is just this:
# Generated by iptables-save v1.4.7 on Wed Jul 19 20:25:22 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -d 224.0.0.0/4 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i br0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT -A INPUT -i br0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i br0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -i br0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i br0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A INPUT -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i br0 -p icmp -j ACCEPT -A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT-A INPUT -i br0 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT -A INPUT -i eth1 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7-A FORWARD -i br0 -o eth1 -p udp -m udp --dport 3478 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i br0 -o eth1 -p udp -m udp --dport 3544 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7 -A OUTPUT -d 224.0.0.0/4 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o br0 -j ACCEPT -A OUTPUT -o eth1 -j ACCEPT -A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7 COMMIT # Completed on Wed Jul 19 20:25:22 2017 Walter On 19.07.2017 20:03, Eliezer Croitoru wrote:
Hey Walter, Can you please paste the output of "iptables-save" for me? It's easier for me to read plain iptables-save then iptables -Lnv or any other format. Then I would be able to send you a file that you can just pull into iptables-restore which should work. And just to clear out my doubts on the scenario: Is the RST packets coming from the gateway(192.168.0.1) but for request from the local proxy(192.168.0.10). To eliminate couple things, can you test the next rule on the GW: Iptables -I INPUT -s 192.168.0.10 -j ACCEPT And see if it changes anything at all? Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -----Original Message----- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Walter H. Sent: Tuesday, July 18, 2017 15:29 To: squid-users@lists.squid-cache.org Subject: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ... Hello, my Router Box runs a CentOS 6, with the EPEL squid34 RPM package this the iptables <BEGIN /etc/sysconfig/iptables> *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # Allow multicast -A INPUT -d 224.0.0.0/4 -j ACCEPT -A OUTPUT -d 224.0.0.0/4 -j ACCEPT # Allow anything on the local link -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # Allow anything out on LAN -A OUTPUT -o br0 -j ACCEPT # Allow established, related packets back in -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable DHCP for LAN -A INPUT -i br0 -m udp -p udp --sport 67:68 --dport 67:68 -j ACCEPT # Enable DNS-Cache for LAN -A INPUT -i br0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m udp -p udp --dport 53 -j ACCEPT # Enable SSH from LAN -A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT # Enable HTTP/HTTPS from LAN (some gui interface) -A INPUT -i br0 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT # Enable Squid-Proxy from LAN -A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT # Block STUN -A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3478 -j REJECT # Block TEREDO -A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3544 -j REJECT # Allow Forwarding to WAN interface -A FORWARD -i br0 -o eth1 -j ACCEPT # Allow established, related packets back through -A FORWARD -i eth1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Only the lan is allowed to ping me without restriction -A INPUT -i br0 -p icmp -j ACCEPT # Else only pings with restricted icmp are allowed -A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT # Enable TRACEroute to me from LAN -A INPUT -i br0 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT # Enable TRACEroute to me from internet -A INPUT -i eth1 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT # Log all other -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7 -A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7 -A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7 COMMIT <END /etc/sysconfig/iptables> and these are logged entries: (only partial, as they are many) <BEGIN dmesg> [17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT= MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10 DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [17-Jul-2017; 19:49:13.590236] IP[IN]: IN=br0 OUT= MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10 DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [18-Jul-2017; 13:02:19.162684] IP[IN]: IN=br0 OUT= MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2 DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=28792 DF PROTO=TCP SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK FIN URGP=0 [18-Jul-2017; 13:02:19.593099] IP[IN]: IN=br0 OUT= MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2 DST=192.168.0.1 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=28797 DF PROTO=TCP SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK PSH FIN URGP=0<END dmesg> 192.168.0.1 is the router itself 192.168.0.10 is a VM running another squid, using the router box as parent proxy 192.168.0.2 is my windows box why are these packets blocked? by the way the router box has of course more interfaces a br0 (LAN) and eth1 (WAN), where can I ensure that squid only listens to the LAN IP? <BEGIN squid.conf> acl localnet src 192.168.0.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # and finally allow by default http_reply_access allow all # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/spool/squid 16400 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid acl crl-mime rep_mime_type application/x-pkcs7-crl no_cache deny crl-mime icon_directory /usr/share/squid/icons error_directory /etc/squid/errors logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/access.log combined refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 <END squid.conf> Thanks, Walter
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
