[squid-users] Squid and iptables - need help

I have just deployed a cluster of squid caching servers in reverse proxy
mode, and am having trouble with iptables. When iptables is turned on,
I can hit the caching servers, but squid times out trying to pull from
the origin servers (in our other datacenters).

I'm thinking that if I add outgoing rules for our other datacenters,
everything should be fine, but they are now in production and I cant
simply test at will...I'm planning on adding these lines, can anyone
tell me if this will fix my timeout problem when squid tries to pull
from the origin servers? I'm green on iptables configuration, so any
advice in general is welcome! Sorry for the long email, and thank you!

Lines I plan to add:

# Allow anything *to* our various datacenters
$IPTABLES -A OUTPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT
$IPTABLES -A OUTPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT
$IPTABLES -A OUTPUT -d XX.XX.XX.X/26 -p all -j ACCEPT

Or maybe I can just add this instead:

$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Here's the current iptables script:
------------------------------------------------------------------------
-
#!/bin/sh

LAN="eth1"
INTERNET="eth0"
IPTABLES="/sbin/iptables"

# Drop ICMP echo-request messages sent to broadcast or multicast
addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Flush all chains
$IPTABLES --flush

# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Set default policies
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP

# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow anything from our various datacenters
$IPTABLES -A INPUT -s XX.XX.XXX.XXX/26 -p all -j ACCEPT
$IPTABLES -A INPUT -s XX.XX1.XXX.X/26 -p all -j ACCEPT
$IPTABLES -A INPUT -s XX.XX.XX.X/26 -p all -j ACCEPT

# Allow incoming port 22 (ssh) connections on external interface
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state \
--state NEW -j ACCEPT

# Allow incoming port 4827 (squid-htcp) connections on external
interface
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 4827 -m state
\
--state NEW -j ACCEPT

# Allow incoming port 80 (http) connections on external interface
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80 -m state \
--state NEW -j ACCEPT

# Allow ICMP ECHO REQUESTS
$IPTABLES -A INPUT -i $INTERNET -p icmp --icmp-type echo-request -j
ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j ACCEPT

# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state \
--state NEW -j ACCEPT

# Allow ntp synchronization
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 123 -m state
\
--state NEW -j ACCEPT

# allow anything on the trusted interface
$IPTABLES -A INPUT -i $LAN -p all -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN -p all -j ACCEPT

# Have these rules take effect when iptables is started
/sbin/service iptables save

--------------------------------------------------------------
Received on Fri Feb 03 2006 - 12:25:04 MST