Hi Chris,
Thanks it worked. --- Chris Robertson <[EMAIL PROTECTED]> wrote: > Your firewall rules seem to be preventing your > gateway from doing DNS > lookups... > > Add a rule like: > > ## DNS Lookups > iptables -A INPUT -p udp -i eth1 --sport 53 -d > 192.168.192.70 -j ACCEPT > iptables -A OUTPUT -p udp -o eth1 --dport 53 -s > 192.168.192.70 -j ACCEPT > > And you should be set. > > Chris > > -----Original Message----- > From: Shafyx [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 15, 2004 10:37 PM > To: [EMAIL PROTECTED] > Subject: [squid-users] Squid and Firewall on Gateway > > > Hello > > > I have installed on my a debian machine that acts as > a > gateway to my lan. The job of the gateway to to > provide a caching server for my lan as well as a > firewall. Here is my architecture: > > eth1 eth0 > ADSL <---> [Gateway] <---> LAN > > eth1 = 192.168.192.70, eth0 = 192.168.1.1, > LAN = 192.168.1.0/24 > > On the Gateway, i have squid 2.5.STABLE7 and it > authenticates all the users connecting to the > internet. Thus, it is not a transparent proxy. I am > also using iptables to build the firewall. Proxy > listen on port 3128. > > The firewall works but for the port 3128 i don't > know > how to do. > > When i browse without activating proxy on my > browser, > I can surf on the internet but when i activate the > proxy, it gives: > > The requested URL could not be retrieved > > While trying to retrieve the URL: > http://www.yahoo.com/ > > The following error was encountered: > > Unable to determine IP address from host name > for > www.yahoo.com > > The dnsserver returned: > > Timeout > > This means that: > > The cache was not able to resolve the hostname > presented in the URL. > Check if the address is correct. > > Your cache administrator is webmaster. > > > here what access.log says: > 1103182301.857 1 192.168.1.23 TCP_DENIED/407 > 1761 > GET http://www.yahoo.com/ - NONE/- text/html > > > Here is an extract of the firewall: > iptables -F > iptables -F -t nat > iptables -X > ###Bloque tous par defaut > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > > ## Les pacquets pour localhost > iptables -A INPUT -i lo -j ACCEPT > iptables -A OUTPUT -o lo -j ACCEPT > > ## Traffiques illimites dans le lan > iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j > ACCEPT > iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -j > ACCEPT > > ## Les traffiques internes sortent avec IP Externe > iptables -t nat -A POSTROUTING -o eth1 -s > 192.168.1.0/24 -j SNAT --to 192.168.192.70 > > ## Permet les pacquets de sortir du LAN > iptables -A FORWARD -m state --state NEW,ESTABLISHED > -i eth0 -s 192.168.1.0/24 -j ACCEPT > > ## Permet les pacquets de retourner vers le LAN > ##iptables -A FORWARD -m state --state > ESTABLISHED,RELATED -i eth1 -d 192.168.1.0/24 -j > ACCEPT > iptables -A FORWARD -m state --state > ESTABLISHED,RELATED -i eth1 -s ! 192.168.1.0/24 -j > ACCEPT > > ## WWW-CACHE > iptables -A INPUT -p tcp -i eth1 --sport 3128 -d > 192.168.192.70 -j ACCEPT > iptables -A OUTPUT -p tcp -o eth1 -s 192.168.192.70 > --dport 3128 -j ACCEPT > > ## HTTP Client > iptables -A INPUT -p tcp -i eth1 --sport 80 -d > 192.168.192.70 -j ACCEPT > iptables -A OUTPUT -p tcp -o eth1 --dport 80 -s > 192.168.192.70 -j ACCEPT > > > > > Please, could someone help me to sort the problem. > > > Thanks > > A+ > > S. > -- > Shafeek Sumser > > > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail - You care about security. So do we. > http://promotions.yahoo.com/new_mail > __________________________________ Do you Yahoo!? Dress up your holiday email, Hollywood style. Learn more. http://celebrity.mail.yahoo.com
