Your INPUT and OUPUT rules looks a little odd.. but as you did not include the full ruleset it is hard to tell.. (iptables -L only gives a summary of the rules.. it is better to use iptables-save)
Regards Henrik On Sun, 28 Dec 2003, Vincent GAUVIN wrote: > Hello all, > I am running squid2.5.stable4 on a server (kernel 2.4.7.20. masquerade with > iptables). > As soon as one of my workstation try a web request i read that in my > cache.log file: > > 2003/12/24 13:19:24| comm_udp_sendto: FD 4, 212.27.32.176, port 53: (1) > Operation not permitted > 2003/12/24 13:19:24| idnsSendQuery: FD 4: sendto: (1) Operation not > permitted > > and obvioulsy it does not work:-(( > let me tell you that i have no Local DNS running and that 212.27.32.175 is > one of my ISP's DNS. > If i stop running squid everything is ok. > i think my firewall-masq rules are not right but i can't find what is wrong > (i join my squid.conf and ipatbles rules) > > Someone has a idea to help me? > thank's > Cordialement, > _____________________________________________________________________ > Vincent GAUVIN - Formateur TICE > Circonscription de REIMS VI 13 rue Chanzy BP 2028 51070 REIMS C�dex (France) > Tel : (33) 03.26.02.19.14 > mailto : [EMAIL PROTECTED] > http://ienreims6.dyndns.org/ > Le site des TICE dans la Marne http://tic-et-tice.dyndns.org > _____________________________________________________________________ > > "iptables -L" > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT tcp -- anywhere anywhere tcp dpt:ssh > > Chain FORWARD (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere state > NEW,RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > > Chain OUTPUT (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT tcp -- anywhere anywhere tcp spt:ssh > > > "squid.conf" > > #port sur lequel le proxy �(c)coute les clients Web > http_port 8080 > cache_effective_user squid > cache_effective_group squid > > #ne pas utiliser le cache pour ? et .cgi > hierarchy_stoplist cgi-bin ? .cgi > > > #m�(c)moire RAM allou�(c)e au proxy > cache_mem 8 MB > > #taille maximale des fichiers qui seront enregistr�(c)s dans le cache > maximum_object_size 4096 KB > > #r�(c)pertoire dans lequel seront stock�(c)s les fichiers enregistr�(c)s. > #dans cet exemple, la taille maximale de ce r�(c)pertoire sera de 200Mo > # il y aura 16 sous divisions dans /var/spool/squid > #- et il y aura 256 divisions dans ces 16 sous divisions > cache_dir ufs /var/spool/squid 200 16 256 > > > #fichiers de log n�(c)cessaires pour contrôler le fonctionnement du cache > cache_access_log /usr/local/squid/var/logs/access.log > cache_log /usr/local/squid/var/logs/cache.log > cache_store_log /usr/local/squid/var/logs/store.log > cache_swap_log /usr/local/squid/var/logs/swap.log > > > #localisation de la table MIME de squid > mime_table /usr/local/squid/etc/mime.conf > > #informations relatives au processus > pid_filename /var/run/squid.pid > debug_options ALL,1 > > #listes d'accès > acl allowed_hosts src 192.168.0.0/255.255.0.0 > # acl localhost src 127.0.0.1/255.255.255.255 > acl manager proto cache_object > # acl all src 0.0.0.0/0.0.0.0 > acl SSL_ports port 443 563 > acl safe_ports port 80 21 443 563 70 210 1025-65535 > acl CONNECT method CONNECT > acl serveurlocal dst 127.0.0.1/255.255.255.255 > > > #autorisation/interdiction des listes d�(c)finies > http_access allow manager > http_access allow manager allowed_hosts > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow allowed_hosts > http_access allow serveurlocal > > > #email du manager du cache > cache_mgr [EMAIL PROTECTED] > > > visible_hostname cache > > #rotation des fichiers log > logfile_rotate 5 > > > httpd_accel_host virtual > httpd_accel_port 8080 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > httpd_accel_single_host off > log_fqdn on > > #pour exclure du cache l'intranet (local) > acl web-local dstdomain localhost > always_direct allow web-local >
