Re: [squid-users] Iptables rules for squid

From: Mathew Thomas <mathew.thomas@dont-contact.us>
Date: Thu, 29 Jan 2004 09:31:35 +1100

Hi All,

Thanks Henrik for the advice. Sorry for pestering again, I have got one
more question. I am getting a lots of the following message in my
iptables log where these packets are coming from outside our network. I
was wondering should I open the random ( 1025 to 65535) ports ( udp
and tcp) to LAN and OUTSIDE our network. I am not doing any "OUTPUT"
filtering.

1) INCOMING TCP PACKETs ( some from ports 80 or 21 to random port on
my proxy server, but lots from random ports of the source m/c to the
random ports on my proxy server)
------------------------------------------------------------------------------------------------------------------------------------------------------------
Jan 28 12:13:47 sproxy2 kernel: FIREWALL OUTSIDE RMIT IN=eth1
OUT=MAC=00:08:02:ed:db:cd:00:60:cf:49:9f:20:08:00 SRC=.200.216.110
DST=131.170.90.3 LEN=40 TOS=0x00 PREC=0x00 TTL=41 ID=64266 PROTO=TCP
SPT=80 DPT=35483 WINDOW=0 RES=0x00 ACK RST URGP=0

Jan 28 14:11:20 sproxy2 kernel: FIREWALL OUTSIDE RMIT IN=eth1
OUT=MAC=00:08:02:ed:db:cd:00:60:cf:49:9f:20:08:00 SRC=210.115.150.4
DST=131.170.90.3 LEN=1351 TOS=0x00 PREC=0x00 TTL=47 ID=40388 DF
PROTO=TCP SPT=80 DPT=48822 WINDOW=57920 RES=0x00 ACK PSH FIN URGP=0

Jan 28 15:08:34 sproxy2 kernel: FIREWALL OUTSIDE RMIT IN=eth1
OUT=MAC=00:08:02:ed:db:cd:00:60:cf:49:9f:20:08:00 SRC=63.146.120.71
DST=131.170.90.3 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=26843 DF PROTO=TCP
SPT=32422 DPT=42348 WINDOW=0 RES=0x00 RST URGP=0

Jan 28 14:35:19 sproxy2 kernel: FIREWALL OUTSIDE RMIT IN=eth1 OUT=
MAC=00:08:02:ed:db:cd:00:60:cf:49:9f:20:08:00 SRC=206.16.4.27
DST=131.170.90.3 LEN=64 TOS=0x00 PREC=0x00 TTL=237 ID=17217 DF PROTO=TCP
SPT=21 DPT=60486 WINDOW=10220 RES=0x00 ACKURGP

Jan 28 14:29:49 sproxy2 kernel: FIREWALL OUTSIDE RMIT IN=eth1
OUT=MAC=00:08:02:ed:db:cd:00:60:cf:49:9f:20:08:00 SRC=80.160.91.19
DST=131.170.90.3 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=37113 DF PROTO=TCP
SPT=3531 DPT=41372 WINDOW=57920 RES=0x00 ACKRST URGP=0

2) INCOMING UDP PACKETs ( some from port 80 of the source m/c to the
random port on my proxy server, but lots from random ports of the source
to the random ports on my proxy server)
--------------------------------------------------------------------------------------------------------------------------------------
Jan 28 21:45:37 sproxy2 kernel: FIREWALL OUTSIDE RMIT IN=eth1 OUT=
MAC=00:08:02:ed:db:cd:00:60:cf:49:9f:20:08:00 SRC=63.211.17.228
DST=131.170.90.3 LEN=38 TOS=0x00 PREC=0x00 TTL=50 ID=5486 PROTO=UDP
SPT=80 DPT=37852 LEN=18

Jan 28 21:46:55 sproxy2 kernel: FIREWALL OUTSIDE RMIT IN=eth1 OUT=
MAC=00:08:02:ed:db:cd:00:60:cf:49:9f:20:08:00 SRC=64.152.70.68
DST=131.170.90.3 LEN=38 TOS=0x00 PREC=0x00 TTL=52 ID=26336 PROTO=UDP
SPT=80 DPT=37852 LEN=18

Jan 28 13:37:28 sproxy2 kernel: FIREWALL OUTSIDE RMIT IN=eth1
OUT=MAC=00:08:02:ed:db:cd:00:60:cf:49:9f:20:08:00 SRC=210.61.218.113
DST=131.170.90.3 LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=52986 PROTO=UDP
SPT=39852 DPT=32770 LEN=20

Jan 28 14:37:59 sproxy2 kernel: FIREWALL OUTSIDE RMIT IN=eth1 OUT=
MAC=00:08:02:ed:db:cd:00:60:cf:49:9f:20:08:00 SRC=129.33.82.50
DST=131.170.90.3 LEN=38 TOS=0x00 PREC=0x00 TTL=1 ID=64903 PROTO=UDP
SPT=49814 DPT=33451 LEN=18

3) Incoming ICMP packet. ( I believe , I can ignore this and not needed
for squid proxy)
-----------------------------------------------------------------------
Jan 28 15:13:35 sproxy2 kernel: FIREWALL OUTSIDE RMIT IN=eth1
OUT=MAC=00:08:02:ed:db:cd:00:60:cf:49:9f:20:08:00 SRC=206.131.224.226
DST=131.170.90.3 LEN=56 TOS=0x00 PREC=0x00 TTL=238 ID=13118 PROTO=ICMP
TYPE=3 CODE=1 [SRC=131.170.90.3
DST=206.131.226.62 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15749 DF
PROTO=TCP INCOMPLETE [8 bytes] ]
 
Jan 28 23:41:37 sproxy2 kernel: FIREWALL OUTSIDE RMIT IN=eth1 OUT=
MAC=00:08:02:ed:db:cd:00:60:cf:49:9f:20:08:00 SRC=138.88.162.208
DST=131.170.90.3 LEN=37 TOS=0x00 PREC=0x00 TTL=107 ID=5677 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=64229

Jan 28 23:41:40 sproxy2 kernel: FIREWALL OUTSIDE RMIT IN=eth1 OUT=
MAC=00:08:02:ed:db:cd:00:60:cf:49:9f:20:08:00 SRC=138.88.162.208
DST=131.170.90.3 LEN=37 TOS=0x00 PREC=0x00 TTL=107 ID=6341 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=37352

Thanks
Mathew

>>> Henrik Nordstrom <hno@squid-cache.org> 24/01/04 2:49:26 >>>
On Fri, 23 Jan 2004, Mathew Thomas wrote:

> transparent caching. I would like to know how should I set the Ip
> tables rules, like which port should be opened for LAN and which
port
> should be opened for internet, etc.

The LAN needs to be able to access the proxy port (http_port).

In addition the Squid server needs to be allowed to talk to the
Internet
and your DNS server.

Note: if you are proxying FTP or otherwise making ftp requests from
the
Squid proxy server then you need to remember to have the conntrack_ftp
helper module loaded or else FTP transfers may fail.

Regards
Henrik
Received on Wed Jan 28 2004 - 16:30:20 MST

This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:09 MST