didn't mean to be terse... what the logs are saying to me is this: i am dropping a TCP packet with flags A,P,F in my OUTPUT chain from 192.168.1.1:80 to 192.168.1.15:3582 do you have something along the lines of: "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" at the top of your INPUT and OUTPUT chains? it appears to me that your rules are not properly allowing replies from the Squid box back to the client machine. -j -----Original Message----- From: Jim Matthews [mailto:jim.matthews@xxxxxxxxxxxxxx] Sent: Tuesday, July 20, 2004 1:55 PM To: Jason Opperisano Subject: RE: Squid Accelerator configuration Jason Thanks for the response. I'm not sure I understand what this line is doing. Should I be replacing any of my entries with this line or appending this line? I tried adding the line (I added it below my other 2 http rules) and it's still not connecting. 192.168.1.1 - Squidbox 192.168.1.15 - Client Jul 20 13:51:39 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3582 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:39 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3583 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:39 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3584 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:46 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=38915 DF PROTO=TCP SPT=80 DPT=3577 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:48 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1152 TOS=0x00 PREC=0x00 TTL=64 ID=38915 DF PROTO=TCP SPT=80 DPT=3578 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:49 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3579 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:50 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3580 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:50 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=19532 DF PROTO=TCP SPT=80 DPT=3581 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:51 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3582 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:51 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3583 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:51 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3584 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:54 squidbox52 kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1485 TOS=0x00 PREC=0x00 TTL=64 ID=38915 DF PROTO=TCP SPT=80 DPT=3576 WINDOW=10720 RES=0x00 ACK PSH FIN URGP=0 Thanks again for your help and any additional help you could provide. --------------------- Jim Matthews ISS Systems Administrator Duke University - Perkins Library Box 90196 Durham, NC 27708 Email: jim.matthews@xxxxxxxx Voice: 919-660-5963 Fax: 919-684-6990 "Jason Opperisano" <Jopperisano@xxxxxxxxxxxxxxxx> 07/20/2004 01:35 PM To "Jim Matthews" <jim.matthews@xxxxxxxxxxxxxx>, <netfilter@xxxxxxxxxxxxxxxxxxx> cc Subject RE: Squid Accelerator configuration -A OUTPUT -p tcp --syn -s 192.168.1.1 --sport 1024: -d 192.168.1.5 --dport 80 -j ACCEPT -j -----Original Message----- From: Jim Matthews [mailto:jim.matthews@xxxxxxxxxxxxxx] Sent: Thursday, July 15, 2004 10:46 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Squid Accelerator configuration Hi We have a backend web server. To off-load some of the load from the backend server, we have a Squid server in front. I am having an issue with my iptables configuration on my Squid box. Everything works correctly when I disable the firewall (no good), so I'm having problems with my rules on the Squid server. I want to configure the systems so that: -On Squid- -allow all requests from Internet to port 80 -allow all requests from WWW box to/from port 80 -On WWW- -allow all forwarded requests to/from Squid Box to port 80 -do not allow requests from Internet to port 80 Has anyone setup something similar? Any suggestions or pointers on how to configure this? Here is the ruleset I'm using on my Squid box: # Squid # These rules are to allow testing from the internal network - the first two rules are for the Squid port -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 1024: --dport squid -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -s 192.168.1.0/24 -p tcp -m tcp --sport squid -m state --state ESTABLISHED -j ACCEPT # These two rules are for the http port -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 1024: --dport http -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -s 192.168.1.0/24 -p tcp -m tcp --sport http -m state --state ESTABLISHED -j ACCEPT # These two rules should cover the forwarding of connections for the backend WWW server -A FORWARD -s 0/0 -d 192.168.1.5 -p TCP --sport 1024:65535 --dport 80 -j ACCEPT -A FORWARD -d 0/0 -s 192.168.1.5 -p TCP -m state --state ESTABLISHED -j ACCEPT Any help you could give would be greatly appreciated. Thanks. Thanks. --------------------- Jim Matthews ISS Systems Administrator Duke University - Perkins Library Box 90196 Durham, NC 27708 Email: jim.matthews@xxxxxxxx Voice: 919-660-5963 Fax: 919-684-6990
