On Tuesday 2006-February-07 17:57, Bill L wrote:
> First email list post!
Wow!
> Xtreme Linux newbie
I hope it works out well for you.
> I have been trying to get iptables/squid/Dansguardian
> to work together but I am quite good at screwing
> things up. Machine is an FC4 box
>
> My iptables won't start, I tried to install 1.3.5
> (currently running 1.3.0) but screwed that up. I
Wrong solution.
> managed to go back to 1.3.0. Here is some output:
> [root@Leavenworth ~]# service iptables start
> Flushing firewall rules:
> [ OK ]
> Setting chains to policy ACCEPT: filter
> [ OK ]
> Unloading iptables modules:
> [ OK ]
> Applying iptables firewall rules: iptables-restore:
> line 24 failed
This tells you to look at line 24 in your rules file.
> This is the ouput of: cat /etc/sysconfig/iptables:
snip
> *filter
snip
> :RH-Firewall-1-INPUT - [0:0]
This, BTW, is not a very good ruleset. If you want to learn iptables,
it's probably not that difficult if 1. you understand some basics of
TCP/IP, and 2. you start with a good HOWTO. I like Rusty's Packet
Filtering Guide at netfilter.org. You can write a very strong yet
simple ruleset by following those instructions. He even has a "really
quick" example.
If you're not ready (or are never ready) to do that, fret not, many
adequate ready-made scripts and rulesets are available. But in any
case, I would toss that Fedora default firewall.
> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp
> --dport 5353 -j ACCEPT
I don't know what this is.
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
You definitely do not want CUPS open to the outside world. And I
thought CUPS was TCP anyway ...
> -A RH-Firewall-1-INPUT -m state --state
> RELATED,ESTABLISHED -j ACCEPT
I put this rule much higher, first or second.
> # Generated by webmin
Apparently you have found a bug in Webmin.
> # Forward HTTP connections to Squid proxy
> -A PREROUTING -p tcp -m tcp -s 8080 --dport 80 -j
> REDIRECT --to-ports 3128
> COMMIT
This cannot work because there is no "nat" table section here. Just run
this command at a root shell[1]:
iptables -vt nat -A PREROUTING -p tcp -s 8080 --dport 80 \
-j REDIRECT --to-ports 3128
But, I have done these transparent HTTP proxy servers before, and that
does not look right. Please see the example in the squid documentation.
Change that to use the Dansguardian port, likely 8080. You want to
redirect outgoing HTTP traffic to Dansguardian, right?
iptables -vt nat -I PREROUTING -p tcp -i $LAN_IF --dport 80 \
-j REDIRECT --to-ports 8080
> If I do an iptables-save > firewall-config this is
> what the file ends up with:
Yes, basically the same thing.
> becasue I think it is messing me up! Is there a way of
> "deleting" the script and iptables making me a nice
> new one without any errors?
Run the REDIRECT command; "iptables-save > /etc/sysconfig/iptables"
saves it for posterity (or at least the next successful reboot.)
[1] If you really want to be successful with Linux, you will want to
become acquainted and proficient with /bin/bash.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
