heh--nudging myself...you'll most likely also need a rule to allow the squid machine to do DNS lookups: -A OUTPUT -p udp --dport 53 -j ACCEPT -j -----Original Message----- From: Jason Opperisano Sent: Tuesday, July 20, 2004 4:41 PM To: 'Jim Matthews' Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: RE: Squid Accelerator configuration i think i have it straight in my head now. let's start over, 'cause i think this has gotten unneccessarily complicated. my understanding is that you want to: (a) allow internal clients (192.168.1.0/24) to access a squid proxy on 192.168.1.1 (port 3128?) (b) allow the squid proxy on 192.168.1.1 to fetch content from a web server on 192.168.1.5 and serve cached content to those clients on 192.168.1.0/24 (c) allow clients from elsewhere (the internet) to access the web server directly *IF* that's the case--here are the _relevant_ rules to accomplish the above (i've now switched them to the "j" style of writing rules): # first things first--allow all established replies -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # allow 192.168.1.0/24 to squid proxy -A INPUT -p tcp --syn -s 192.168.1.0/24 --sport 1024:65535 \ -d 192.168.1.1 --dport 3128 -m state --state NEW -j ACCEPT #allow squid proxy to go fetch content from backend web server -A OUTPUT -p tcp --syn -s 192.168.1.1 --sport 1024:65535 \ -d 192.168.1.5 --dport 80 -m state --state NEW -j ACCEPT # allow forwarding of requests (from anywhere) to fetch content from the web server -A FORWARD -p tcp --syn --sport 1024:65535 \ -d 192.168.1.5 --dport 80 -m state --state NEW -j ACCEPT if i've lost my mind somewhere along the way--please nudge me back to reality. -j -----Original Message----- From: Jim Matthews [mailto:jim.matthews@xxxxxxxxxxxxxx] Sent: Tuesday, July 20, 2004 3:50 PM To: Jason Opperisano Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: RE: Squid Accelerator configuration Jason No problem, thanks for helping. My rules are all whacked out now, I'm sure. Here's what I have: # Squid # These rules are to allow testing from the internal network - the first two rules are for the Squid ports -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 1024: --dport squid -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -s 192.168.1.0/24 -p tcp -m tcp --sport squid -m state --state ESTABLISHED,RELATED -j ACCEPT # accept 113 connections -A INPUT -p tcp -m tcp --sport 113 -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 113 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # These two rules are for the http port -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 1024: --dport http -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -s 192.168.1.0/24 -p tcp -m tcp --sport http -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p tcp --syn -s 192.168.1.1 --sport 1024: -d 192.168.1.5 --dport 80 -j ACCEPT # These two rules should cover teh forwarding of connections for the backend WWW server -A FORWARD -s 0/0 -d 192.168.1.5 -p TCP --sport 1024:65535 --dport 80 -j ACCEPT -A FORWARD -d 0/0 -s 192.168.1.5 -p TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT It sortof works now. I can access pages that have been cached on the Squid box, but if I need a page that isn't cached, I never get it. Thanks. --------------------- Jim Matthews ISS Systems Administrator Duke University - Perkins Library Box 90196 Durham, NC 27708 Email: jim.matthews@xxxxxxxx Voice: 919-660-5963 Fax: 919-684-6990 "Jason Opperisano" <Jopperisano@xxxxxxxxxxxxxxxx> 07/20/2004 02:03 PM To "Jim Matthews" <jim.matthews@xxxxxxxxxxxxxx> cc <netfilter@xxxxxxxxxxxxxxxxxxx> Subject RE: Squid Accelerator configuration didn't mean to be terse... what the logs are saying to me is this: i am dropping a TCP packet with flags A,P,F in my OUTPUT chain from 192.168.1.1:80 to 192.168.1.15:3582 do you have something along the lines of: "-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" at the top of your INPUT and OUTPUT chains? it appears to me that your rules are not properly allowing replies from the Squid box back to the client machine. -j -----Original Message----- From: Jim Matthews [mailto:jim.matthews@xxxxxxxxxxxxxx] Sent: Tuesday, July 20, 2004 1:55 PM To: Jason Opperisano Subject: RE: Squid Accelerator configuration Jason Thanks for the response. I'm not sure I understand what this line is doing. Should I be replacing any of my entries with this line or appending this line? I tried adding the line (I added it below my other 2 http rules) and it's still not connecting. 192.168.1.1 - Squidbox 192.168.1.15 - Client Jul 20 13:51:39 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3582 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:39 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3583 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:39 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3584 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:46 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=38915 DF PROTO=TCP SPT=80 DPT=3577 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:48 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1152 TOS=0x00 PREC=0x00 TTL=64 ID=38915 DF PROTO=TCP SPT=80 DPT=3578 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:49 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3579 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:50 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3580 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:50 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=19532 DF PROTO=TCP SPT=80 DPT=3581 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:51 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3582 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:51 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3583 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:51 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1499 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3584 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 Jul 20 13:51:54 squidbox52 kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.15 LEN=1485 TOS=0x00 PREC=0x00 TTL=64 ID=38915 DF PROTO=TCP SPT=80 DPT=3576 WINDOW=10720 RES=0x00 ACK PSH FIN URGP=0 Thanks again for your help and any additional help you could provide. --------------------- Jim Matthews ISS Systems Administrator Duke University - Perkins Library Box 90196 Durham, NC 27708 Email: jim.matthews@xxxxxxxx Voice: 919-660-5963 Fax: 919-684-6990 "Jason Opperisano" <Jopperisano@xxxxxxxxxxxxxxxx> 07/20/2004 01:35 PM To "Jim Matthews" <jim.matthews@xxxxxxxxxxxxxx>, <netfilter@xxxxxxxxxxxxxxxxxxx> cc Subject RE: Squid Accelerator configuration -A OUTPUT -p tcp --syn -s 192.168.1.1 --sport 1024: -d 192.168.1.5 --dport 80 -j ACCEPT -j -----Original Message----- From: Jim Matthews [mailto:jim.matthews@xxxxxxxxxxxxxx] Sent: Thursday, July 15, 2004 10:46 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Squid Accelerator configuration Hi We have a backend web server. To off-load some of the load from the backend server, we have a Squid server in front. I am having an issue with my iptables configuration on my Squid box. Everything works correctly when I disable the firewall (no good), so I'm having problems with my rules on the Squid server. I want to configure the systems so that: -On Squid- -allow all requests from Internet to port 80 -allow all requests from WWW box to/from port 80 -On WWW- -allow all forwarded requests to/from Squid Box to port 80 -do not allow requests from Internet to port 80 Has anyone setup something similar? Any suggestions or pointers on how to configure this? Here is the ruleset I'm using on my Squid box: # Squid # These rules are to allow testing from the internal network - the first two rules are for the Squid port -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 1024: --dport squid -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -s 192.168.1.0/24 -p tcp -m tcp --sport squid -m state --state ESTABLISHED -j ACCEPT # These two rules are for the http port -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 1024: --dport http -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -s 192.168.1.0/24 -p tcp -m tcp --sport http -m state --state ESTABLISHED -j ACCEPT # These two rules should cover the forwarding of connections for the backend WWW server -A FORWARD -s 0/0 -d 192.168.1.5 -p TCP --sport 1024:65535 --dport 80 -j ACCEPT -A FORWARD -d 0/0 -s 192.168.1.5 -p TCP -m state --state ESTABLISHED -j ACCEPT Any help you could give would be greatly appreciated. Thanks. Thanks. --------------------- Jim Matthews ISS Systems Administrator Duke University - Perkins Library Box 90196 Durham, NC 27708 Email: jim.matthews@xxxxxxxx Voice: 919-660-5963 Fax: 919-684-6990