RE: [squid-users] Squid and iptables - need help

From: Gregori Parker <gregori@dont-contact.us>
Date: Mon, 6 Feb 2006 12:52:12 -0800

Thanks Chris, I got rid of a lot of redundancy and replaced general
rules much more specific ones (e.g. SSH et al have source/destination ip
space constraints)...everything seems to be working fine now!

-----Original Message-----
From: Chris Robertson [mailto:crobertson@gci.com]
Sent: Monday, February 06, 2006 10:59 AM
To: squid-users@squid-cache.org
Subject: RE: [squid-users] Squid and iptables - need help

Hi...

> -----Original Message-----
> From: Gregori Parker [mailto:gregori@playstream.com]
> Sent: Friday, February 03, 2006 10:25 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] Squid and iptables - need help
>
>
> I have just deployed a cluster of squid caching servers in
> reverse proxy
> mode, and am having trouble with iptables. When iptables is
> turned on,
> I can hit the caching servers, but squid times out trying to pull from
> the origin servers (in our other datacenters).
>
> I'm thinking that if I add outgoing rules for our other datacenters,
> everything should be fine, but they are now in production and I cant
> simply test at will...I'm planning on adding these lines, can anyone
> tell me if this will fix my timeout problem when squid tries to pull
> from the origin servers? I'm green on iptables configuration, so any
> advice in general is welcome! Sorry for the long email, and
> thank you!
>
> Lines I plan to add:
>
> # Allow anything *to* our various datacenters
> $IPTABLES -A OUTPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT
> $IPTABLES -A OUTPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT
> $IPTABLES -A OUTPUT -d XX.XX.XX.X/26 -p all -j ACCEPT
>

Replace. Don't add...

>
> Or maybe I can just add this instead:
>
> $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>

This would be the same thing as "$IPTABLES --policy OUTPUT ALLOW".

>
> Here's the current iptables script:
> --------------------------------------------------------------
> ----------
> -
> #!/bin/sh
>
> LAN="eth1"
> INTERNET="eth0"
> IPTABLES="/sbin/iptables"
>
> # Drop ICMP echo-request messages sent to broadcast or multicast
> addresses
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> # Drop source routed packets
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
>
> # Enable TCP SYN cookie protection from SYN floods
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> # Don't accept ICMP redirect messages
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> # Don't send ICMP redirect messages
> echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
>
> # Enable source address spoofing protection
> echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
>
> # Log packets with impossible source addresses
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
>
> # Flush all chains
> $IPTABLES --flush
>
> # Allow unlimited traffic on the loopback interface
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>
> # Set default policies
> $IPTABLES --policy INPUT DROP
> $IPTABLES --policy OUTPUT DROP
> $IPTABLES --policy FORWARD DROP
>
> # Previously initiated and accepted exchanges bypass rule checking
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>

Change these lines...

> # Allow anything from our various datacenters
> $IPTABLES -A INPUT -s XX.XX.XXX.XXX/26 -p all -j ACCEPT
> $IPTABLES -A INPUT -s XX.XX1.XXX.X/26 -p all -j ACCEPT
> $IPTABLES -A INPUT -s XX.XX.XX.X/26 -p all -j ACCEPT
>

...to...

# Allow anything from our various datacenters
$IPTABLES -A OUPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT
$IPTABLES -A OUPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT
$IPTABLES -A OUPUT -d XX.XX.XXX.X/26 -p all -j ACCEPT

... and Squid will be able to query your datacenters. Responses will be
allowed by the "--state ESTABLISHED,RELATED" rule. It would probably be
a good idea to make this rule a bit more stringent (only allow TCP on
port 80, or what-have-you). But it's a good start.

> # Allow incoming port 22 (ssh) connections on external interface
> $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22
> -m state \
> --state NEW -j ACCEPT
>

I'd REALLY strongly recommend you limit which hosts can connect to port
22. There are no shortage of SSH scanners in the wild.

> # Allow incoming port 4827 (squid-htcp) connections on external
> interface
> $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port
> 4827 -m state
> \
> --state NEW -j ACCEPT
>
> # Allow incoming port 80 (http) connections on external interface
> $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80
> -m state \
> --state NEW -j ACCEPT
>
> # Allow ICMP ECHO REQUESTS
> $IPTABLES -A INPUT -i $INTERNET -p icmp --icmp-type echo-request -j
> ACCEPT
> $IPTABLES -A INPUT -p icmp -j ACCEPT
> $IPTABLES -A OUTPUT -p icmp -j ACCEPT
>
>
> # Allow DNS resolution
> $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53
> -m state \
> --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53
> -m state \
> --state NEW -j ACCEPT
>
> # Allow ntp synchronization
> $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port
> 123 -m state
> \
> --state NEW -j ACCEPT
>
> # allow anything on the trusted interface
> $IPTABLES -A INPUT -i $LAN -p all -j ACCEPT
> $IPTABLES -A OUTPUT -o $LAN -p all -j ACCEPT
>
> # Have these rules take effect when iptables is started
> /sbin/service iptables save
>
> --------------------------------------------------------------
>
>

Chris
Received on Mon Feb 06 2006 - 13:52:24 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST