netfilter-admin@xxxxxxxxxxxxxxxxxxx wrote on 07/19/2004 05:00:10 PM: > On Monday 19 July 2004 9:33 pm, Jim Matthews wrote: > > > Antony > > > > Thanks for the reply. > > > > I added port 113 to the "allow" list and when I tried to reconnect to the > > Squid box, those 113 port packets are still being dropped. Any idea why > > the port 80 packets are being dropped as well? I think my rules are setup > > correctly, so I'm not sure why they're not being allowed. I'm attaching > > my rules if someone would like to take a look and see what's happening. > > Maybe my earlier explanation was not entirely clear. > > The squid *server* is the ident *client* - it initiates the connection to the > ident server running on the http client. > > The rules for TCP port 113 in your ruleset seem to assume the opposite - that > one machine is both http and ident client, and the other machine is both http > and ident server. Antony Ahh...I see. I've added the following to take care of the ident packets: -A INPUT -p tcp -m tcp --sport 113 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 113 -m state --state NEW,ESTABLISHED -j ACCEPT Still getting dropped port 80 packets though: Jul 20 12:23:40 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54027 DF PROTO=TCP SPT=43972 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jul 20 12:25:14 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54027 DF PROTO=TCP SPT=43972 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jul 20 12:25:41 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54027 DF PROTO=TCP SPT=43973 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jul 20 12:26:27 squidbox last message repeated 4 times Jul 20 12:27:15 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54027 DF PROTO=TCP SPT=43973 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jul 20 12:27:24 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30836 DF PROTO=TCP SPT=43974 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Do I have not my rules in the correct order? Sorry to keep bugging about this issue. I thought I had solved it, but it's still not behaving correctly.
