RE: Squid Accelerator configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



didn't mean to be terse...

what the logs are saying to me is this:  i am dropping a TCP packet with flags A,P,F in my OUTPUT chain from 192.168.1.1:80 to 192.168.1.15:3582

do you have something along the lines of:

	"-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
	"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"

at the top of your INPUT and OUTPUT chains?

it appears to me that your rules are not properly allowing replies from the Squid box back to the client machine.

-j

-----Original Message-----
From: Jim Matthews [mailto:jim.matthews@xxxxxxxxxxxxxx]
Sent: Tuesday, July 20, 2004 1:55 PM
To: Jason Opperisano
Subject: RE: Squid Accelerator configuration


Jason

Thanks for the response.  I'm not sure I understand what this line is 
doing.  Should I be replacing any of my entries with this line or 
appending this line?  I tried adding the line (I added it below my other 2 
http rules) and it's still not connecting. 

192.168.1.1 - Squidbox
192.168.1.15 - Client


Jul 20 13:51:39 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
SPT=80 DPT=3582 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 
Jul 20 13:51:39 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
SPT=80 DPT=3583 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 
Jul 20 13:51:39 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
SPT=80 DPT=3584 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 
Jul 20 13:51:46 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=38915 DF PROTO=TCP 
SPT=80 DPT=3577 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 
Jul 20 13:51:48 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.15 LEN=1152 TOS=0x00 PREC=0x00 TTL=64 ID=38915 DF PROTO=TCP 
SPT=80 DPT=3578 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 
Jul 20 13:51:49 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
SPT=80 DPT=3579 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 
Jul 20 13:51:50 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
SPT=80 DPT=3580 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 
Jul 20 13:51:50 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=19532 DF PROTO=TCP 
SPT=80 DPT=3581 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 
Jul 20 13:51:51 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
SPT=80 DPT=3582 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 
Jul 20 13:51:51 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
SPT=80 DPT=3583 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 
Jul 20 13:51:51 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
SPT=80 DPT=3584 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 
Jul 20 13:51:54 squidbox52 kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.15 LEN=1485 TOS=0x00 PREC=0x00 TTL=64 ID=38915 DF PROTO=TCP 
SPT=80 DPT=3576 WINDOW=10720 RES=0x00 ACK PSH FIN URGP=0 

Thanks again for your help and any additional help you could provide.
---------------------
Jim Matthews 
ISS Systems Administrator 
Duke University - Perkins Library
Box 90196
Durham, NC 27708
Email: jim.matthews@xxxxxxxx
Voice: 919-660-5963
Fax: 919-684-6990



"Jason Opperisano" <Jopperisano@xxxxxxxxxxxxxxxx> 
07/20/2004 01:35 PM

To
"Jim Matthews" <jim.matthews@xxxxxxxxxxxxxx>, 
<netfilter@xxxxxxxxxxxxxxxxxxx>
cc

Subject
RE: Squid Accelerator configuration






-A OUTPUT -p tcp --syn -s 192.168.1.1 --sport 1024: -d 192.168.1.5 --dport 
80 -j ACCEPT

-j

-----Original Message-----
From: Jim Matthews [mailto:jim.matthews@xxxxxxxxxxxxxx]
Sent: Thursday, July 15, 2004 10:46 AM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Squid Accelerator configuration


Hi

We have a backend web server.  To off-load some of the load from the 
backend server, we have a Squid server in front. 

I am having an issue with my iptables configuration on my Squid box. 
Everything works correctly when I disable the firewall (no good), so I'm 
having problems with my rules on the Squid server.  I want to configure 
the systems so that:

-On Squid-
-allow all requests from Internet to port 80
-allow all requests from WWW box to/from port 80

-On WWW-
-allow all forwarded requests to/from Squid Box to port 80
-do not allow requests from Internet to port 80

Has anyone setup something similar?  Any suggestions or pointers on how to 

configure this?

Here is the ruleset I'm using on my Squid box:

# Squid
# These rules are to allow testing from the internal network - the first 
two rules are for the Squid port
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 1024: --dport squid -m 
state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.1.0/24 -p tcp -m tcp --sport squid -m state --state 
ESTABLISHED -j ACCEPT

# These two rules are for the http port
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 1024: --dport http -m 
state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.1.0/24 -p tcp -m tcp --sport http -m state --state 
ESTABLISHED -j ACCEPT

# These two rules should cover the forwarding of connections for the 
backend WWW server
-A FORWARD -s 0/0 -d 192.168.1.5 -p TCP --sport 1024:65535 --dport 80 -j 
ACCEPT
-A FORWARD -d 0/0 -s 192.168.1.5 -p TCP -m state --state ESTABLISHED -j 
ACCEPT

Any help you could give would be greatly appreciated.  Thanks.

Thanks.
---------------------
Jim Matthews 
ISS Systems Administrator 
Duke University - Perkins Library
Box 90196
Durham, NC 27708
Email: jim.matthews@xxxxxxxx
Voice: 919-660-5963
Fax: 919-684-6990





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux