-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all! I need to setup my gateway (netfilter + squid) to allow allow lan hosts direct access to the domain .caixa.gov.br (200.201.160/20). All requests will go on port 80, tcp on the remote end but the protocol isn't http. To achieve this I tried adding the following rules to iptables: - -A FORWARD -s 192.168.1.0/255.255.255.0 -d 200.201.160.0/255.255.240.0\ - -p tcp --sport 1024:65535 --dport 80 -j ACCEPT The problem is that packets destined for that rule are still being grabbed by squid, preventing the java app to load: 192.168.1.221 TCP_CLIENT_REFRESH_MISS/404 4244 GET http://cmt.caixa.gov.br/COM/arx/pw/SlimCli.class - DIRECT/200.201.173.68 text/html When I saw that I also tried the following squid.conf acls to allow direct connections to the domain, but the problem persists: acl Caixa dstdomain .caixa.gov.br always_direct allow Caixa Can anyone point me in the right direction? My setup is: Internet | +---------+-----------+ | eth0 (dynamic IP) | | Squid + netfilter | |eth1 (192.168.1.1/24)| +---------+-----------+ | Hosts kernel version: 2.6.9-10 iptables v1.2.9 Squid Cache: Version 2.5.STABLE6 attached complete squid.conf & iptables rules -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFgbil2QVs8jsa1mQRAgl/AJ0U8s8CHJ/H/y3ghOHFoDOTjGtnzQCfWU3v /y51lg/bmz84QUhZEUye9Q4= =+Bmk -----END PGP SIGNATURE-----
-A PREROUTING -i ! eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A POSTROUTING -o eth0 -j MASQUERADE -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p icmp -j DROP -A INPUT -m state --state INVALID -j DROP -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -i ! eth0 -j ACCEPT -A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j drop-reserved -A INPUT -s 169.254.0.0/255.255.0.0 -i eth0 -j drop-reserved -A INPUT -s 224.0.0.0/240.0.0.0 -i eth0 -j drop-reserved -A INPUT -s 240.0.0.0/240.0.0.0 -i eth0 -j drop-reserved -A INPUT -d <external ip> -i eth0 -p udp -m udp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -d <external ip> -i eth0 -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -j DROP -A FORWARD -s 192.168.1.0/255.255.255.0 -d 200.201.160.0/255.255.240.0 -p tcp --sport 1024:65535 --dport 80 -j ACCEPT -A FORWARD -i ! eth0 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j DROP -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT -A OUTPUT -s <external ip> -j ACCEPT -A OUTPUT -o eth0 -j DROP -A drop-lan -j DROP -A drop-reserved -j DROP
http_port 3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? maximum_object_size 4096 KB cache_dir diskd /mnt/cache/squid 5120 16 256 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl private1 src 192.168.0.0/16 acl private2 src 10.0.0.0/8 acl private3 src 172.16.0.0/12 acl privoxy dstdomain config.privoxy.org acl SSL_ports port 443 563 acl SSL_ports port 81 10000 acl CONNECT method CONNECT acl Caixa dstdomain .caixa.gov.br no_cache deny QUERY http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny privoxy http_access allow localhost http_access allow private1 http_access allow private2 http_access allow private3 http_access deny all http_reply_access allow all icp_access allow all reply_body_max_size 0 allow all cache_effective_user squid cache_effective_group squid httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on always_direct allow Caixa coredump_dir /var/spool/squid extension_methods REPORT MERGE MKACTIVITY CHECKOUT
