Your firewall rules seem to be preventing your gateway from doing DNS lookups...
Add a rule like: ## DNS Lookups iptables -A INPUT -p udp -i eth1 --sport 53 -d 192.168.192.70 -j ACCEPT iptables -A OUTPUT -p udp -o eth1 --dport 53 -s 192.168.192.70 -j ACCEPT And you should be set. Chris -----Original Message----- From: Shafyx [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 15, 2004 10:37 PM To: [EMAIL PROTECTED] Subject: [squid-users] Squid and Firewall on Gateway Hello I have installed on my a debian machine that acts as a gateway to my lan. The job of the gateway to to provide a caching server for my lan as well as a firewall. Here is my architecture: eth1 eth0 ADSL <---> [Gateway] <---> LAN eth1 = 192.168.192.70, eth0 = 192.168.1.1, LAN = 192.168.1.0/24 On the Gateway, i have squid 2.5.STABLE7 and it authenticates all the users connecting to the internet. Thus, it is not a transparent proxy. I am also using iptables to build the firewall. Proxy listen on port 3128. The firewall works but for the port 3128 i don't know how to do. When i browse without activating proxy on my browser, I can surf on the internet but when i activate the proxy, it gives: The requested URL could not be retrieved While trying to retrieve the URL: http://www.yahoo.com/ The following error was encountered: Unable to determine IP address from host name for www.yahoo.com The dnsserver returned: Timeout This means that: The cache was not able to resolve the hostname presented in the URL. Check if the address is correct. Your cache administrator is webmaster. here what access.log says: 1103182301.857 1 192.168.1.23 TCP_DENIED/407 1761 GET http://www.yahoo.com/ - NONE/- text/html Here is an extract of the firewall: iptables -F iptables -F -t nat iptables -X ###Bloque tous par defaut iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP ## Les pacquets pour localhost iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ## Traffiques illimites dans le lan iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -j ACCEPT ## Les traffiques internes sortent avec IP Externe iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to 192.168.192.70 ## Permet les pacquets de sortir du LAN iptables -A FORWARD -m state --state NEW,ESTABLISHED -i eth0 -s 192.168.1.0/24 -j ACCEPT ## Permet les pacquets de retourner vers le LAN ##iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i eth1 -d 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i eth1 -s ! 192.168.1.0/24 -j ACCEPT ## WWW-CACHE iptables -A INPUT -p tcp -i eth1 --sport 3128 -d 192.168.192.70 -j ACCEPT iptables -A OUTPUT -p tcp -o eth1 -s 192.168.192.70 --dport 3128 -j ACCEPT ## HTTP Client iptables -A INPUT -p tcp -i eth1 --sport 80 -d 192.168.192.70 -j ACCEPT iptables -A OUTPUT -p tcp -o eth1 --dport 80 -s 192.168.192.70 -j ACCEPT Please, could someone help me to sort the problem. Thanks A+ S. -- Shafeek Sumser __________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail
