RE: [squid-users] Squid and Firewall on Gateway

Your firewall rules seem to be preventing your gateway from doing DNS
lookups...

Add a rule like:

## DNS Lookups
iptables -A INPUT -p udp -i eth1 --sport 53 -d 192.168.192.70 -j ACCEPT
iptables -A OUTPUT -p udp -o eth1 --dport 53 -s 192.168.192.70 -j ACCEPT

And you should be set.

Chris

-----Original Message-----
From: Shafyx [mailto:debianyx@yahoo.com]
Sent: Wednesday, December 15, 2004 10:37 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Squid and Firewall on Gateway

Hello

I have installed on my a debian machine that acts as a
gateway to my lan. The job of the gateway to to
provide a caching server for my lan as well as a
firewall. Here is my architecture:

            eth1 eth0
ADSL <---> [Gateway] <---> LAN

eth1 = 192.168.192.70, eth0 = 192.168.1.1,
LAN = 192.168.1.0/24

On the Gateway, i have squid 2.5.STABLE7 and it
authenticates all the users connecting to the
internet. Thus, it is not a transparent proxy. I am
also using iptables to build the firewall. Proxy
listen on port 3128.

The firewall works but for the port 3128 i don't know
how to do.

When i browse without activating proxy on my browser,
I can surf on the internet but when i activate the
proxy, it gives:

The requested URL could not be retrieved

While trying to retrieve the URL:
http://www.yahoo.com/

The following error was encountered:

    Unable to determine IP address from host name for
www.yahoo.com

The dnsserver returned:

    Timeout

This means that:

 The cache was not able to resolve the hostname
presented in the URL.
 Check if the address is correct.

Your cache administrator is webmaster.

here what access.log says:
1103182301.857 1 192.168.1.23 TCP_DENIED/407 1761
GET http://www.yahoo.com/ - NONE/- text/html

Here is an extract of the firewall:
iptables -F
iptables -F -t nat
iptables -X
###Bloque tous par defaut
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

## Les pacquets pour localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

## Traffiques illimites dans le lan
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -j ACCEPT

## Les traffiques internes sortent avec IP Externe
iptables -t nat -A POSTROUTING -o eth1 -s
192.168.1.0/24 -j SNAT --to 192.168.192.70

## Permet les pacquets de sortir du LAN
iptables -A FORWARD -m state --state NEW,ESTABLISHED
-i eth0 -s 192.168.1.0/24 -j ACCEPT

## Permet les pacquets de retourner vers le LAN
##iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -i eth1 -d 192.168.1.0/24 -j
ACCEPT
iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -i eth1 -s ! 192.168.1.0/24 -j
ACCEPT

## WWW-CACHE
iptables -A INPUT -p tcp -i eth1 --sport 3128 -d
192.168.192.70 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth1 -s 192.168.192.70
--dport 3128 -j ACCEPT

## HTTP Client
iptables -A INPUT -p tcp -i eth1 --sport 80 -d
192.168.192.70 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth1 --dport 80 -s
192.168.192.70 -j ACCEPT

Please, could someone help me to sort the problem.

Thanks

A+

S.

--
Shafeek Sumser
	
		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail