[squid-users] Squid not working fully with IPCHAINS

To ALL:

Maybe you can provide some insights about what am I doing wrong. I have
a firewall script that does not redirect traffic to squid at all.

However, when I put my script in test mode, then traffic is sent to
Squid. After further investigation when I am in test mode if I change
the default policy of the INPUT rule to be DENY then the test mode also
fails. I can only assume I am missing some definition for either loop
back or eth1, see attached test mode script.

Any help would be greatly appreciated,
Carmelo

----- excerpt form IPCHAINS -L -v -n ---------- this works .... however,
if I change the input policy to DENY it doesn't what am I missing?
Chain input (policy ACCEPT: 14144 packets, 3230697 bytes):
 pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
    2 80 REDIRECT tcp ------ 0xFF 0x00
* 0.0.0.0/0
0.0.0.0/0 * -> 80 => 3128
    0 0 REDIRECT tcp ------ 0xFF 0x00
eth1 172.16.1.0/24
0.0.0.0/0 * -> 80 => 3128
    0 0 REDIRECT udp ------ 0xFF 0x00
eth1 172.16.1.0/24
0.0.0.0/0 * -> 80 => 3128
    0 0 REDIRECT tcp ------ 0xFF 0x00
eth1 172.16.1.0/24
0.0.0.0/0 * -> 443 => 3128
    0 0 REDIRECT udp ------ 0xFF 0x00
eth1 172.16.1.0/24
0.0.0.0/0 * -> 443 => 3128
Chain forward (policy ACCEPT: 15 packets, 812 bytes):
 pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
    0 0 DENY all ------ 0xFF 0x00
* 172.16.1.0/24
172.16.1.0/24 n/a
    0 0 DENY all ------ 0xFF 0x00
* 172.16.2.0/24
172.16.2.0/24 n/a
    0 0 DENY all ----l- 0xFF 0x00
* 0.0.0.0/0
172.16.1.0/24 n/a
    0 0 DENY all ----l- 0xFF 0x00
* 0.0.0.0/0
172.16.2.0/24 n/a
    0 0 DENY tcp ------ 0xFF 0x00
* 172.16.1.0/24
0.0.0.0/0 * -> 80
    0 0 DENY tcp ------ 0xFF 0x00
* 172.16.2.0/24
0.0.0.0/0 * -> 80
   79 3220 MASQ all ------ 0xFF 0x00
* 172.16.1.0/24
0.0.0.0/0 n/a
    0 0 MASQ all ------ 0xFF 0x00
* 172.16.2.0/24
0.0.0.0/0 n/a
Chain output (policy ACCEPT: 512683 packets, 294488590 bytes):

------ excert from firewallv1.1 --------
do_flush () {
    # Flush all rules
    echo -e "\tFlushing All Rules, including user-defined ... \c"
    ipchains -F
    ipchains -X
    echo -e "Done"
}

do_reset_chains () {
    # This will set all rules to ACCEPT
    echo -e "\tReseting rules to ACCEPT ... \c"
    ipchains -P input ACCEPT
    ipchains -P output ACCEPT
    ipchains -P forward ACCEPT
    echo -e "Done"
}

do_allow_masq_no_http () {
    echo -e "\tAllow masquerading from internal LANs ... \c"

    #Don't Masq LOCAL Traffic
    ipchains -A forward -s $LOCAL_NET_1 -d $LOCAL_NET_1 -j DENY
    ipchains -A forward -s $LOCAL_NET_2 -d $LOCAL_NET_2 -j DENY

    #Don't Masq Traffic from anywhere to internal Directly
    ipchains -A forward -s $ALL_IPS -d $LOCAL_NET_1 -j DENY -l
    ipchains -A forward -s $ALL_IPS -d $LOCAL_NET_2 -j DENY -l

    ipchains -A forward -p tcp -s $LOCAL_NET_1 --dport 80 -j DENY
    ipchains -A forward -p tcp -s $LOCAL_NET_2 --dport 80 -j DENY

    # Masq Traffic to anywhere
    ipchains -A forward -s $LOCAL_NET_1 -d $ALL_IPS -j MASQ
    ipchains -A forward -s $LOCAL_NET_2 -d $ALL_IPS -j MASQ

    #Don't Masq BroadCast
# ipchains -A forward -s $LOCAL_NET_1 -d $BROADCAST_DEST -j MASQ
# ipchains -A forward -s $LOCAL_NET_2 -d $BROADCAST_DEST -j MASQ

#
# This breaks communication !!!
# ipchains -A forward -i $INTERNAL_INTERFACE -s $LOCAL_NET_1 -j MASQ
# ipchains -A forward -i $INTERNAL_INTERFACE -s $LOCAL_NET_2 -j MASQ
# ipchains -A forward -s $INTERNAL_INTERFACE -d $BROADCAST_DEST -j MASQ
    echo -e "Done"
}

do_www_to_squid () {
    #***************************
    # When MASQ'ing or REDIRECT always use -s with -i
    #***************************
    # The next line silently redirects to Squid (transparent proxy)
    #ipchains -A input -s $LOCAL_LAN_1 -p tcp --dport http -j REDIRECT
webcache
    echo -e "\tAllow WEB redirect to Squid: \c"
    ipchains -A input -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 80 -j REDIRECT 3128
    ipchains -A input -i $INTERNAL_INTERFACE -p tcp -s $LOCAL_NET_1
--dport http -j REDIRECT 3128
    ipchains -A input -i $INTERNAL_INTERFACE -p udp -s $LOCAL_NET_1
--dport http -j REDIRECT 3128
    ipchains -A input -i $INTERNAL_INTERFACE -p tcp -s $LOCAL_NET_1
--dport https -j REDIRECT 3128
    ipchains -A input -i $INTERNAL_INTERFACE -p udp -s $LOCAL_NET_1
--dport https -j REDIRECT 3128
    echo -e "Done"
}

do_test () {
    echo -e "Starting Firewall (Test Mode):"
    do_flush
    do_reset_chains
    do_www_to_squid
    do_allow_masq_no_http
    echo "Complete"
}

do_test
exit 0
Received on Tue Jul 30 2002 - 12:48:08 MDT