SV: How to check why HTTP proxy is not accessible from outside?

André Paulsberg-Csibi (IBM Consultant) <Andre.Paulsberg-Csibi@xxxxxxxx> · Sun, 11 Feb 2018 21:03:04 +0000

Hi ,

Even if you have not explained how this is setup , it seems very unlikely the issue with server1 could be the iptables FW ...
... I can only GUESS here since there is not enough data to be 100% sure .
However there are not really any relevant difference in the rules for server1 and server2 , and the ruleset is not setup in what I would call best practice .
In essence both rules allow for everything , except SMTP , HTTP , IMAP2 and IMAPS
Unless your SQUID PROXY setup is using one of the 4 ports associated with the 4 services ( and normally it would not ) it should not be blocked .

REJECT     tcp  --  anywhere             anywhere             tcp dpt:smtp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:http reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:imap2 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp dpt:imaps reject-with icmp-port-unreachable

>From what I can understand all other rules are not needed / since they are covered by a DEFAULT ACCEPT in this "SETUP"

You can normally verify this if you use the syntax

"sudo iptables -nvL"
This will show you hit counters statistics
If you then try from outside "telnet server1 3128" ( you may need to change the port 3128 with whatever port your squid setup uses , but 3128 is normally the default )

Then when you another "sudo iptables -nvL" right after and none of the counters have increase for any DROP / REJECT rule

Best regards
André Paulsberg-Csibi
Senior Network Engineer 
IBM Services AS

-----Opprinnelig melding-----
Fra: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] På vegne av Peng Yu
Sendt: lørdag 10. februar 2018 06.28
Til: netfilter@xxxxxxxxxxxxxxx
Emne: How to check why HTTP proxy is not accessible from outside?

Hi,

I have squid HTTP proxy running on both of the following servers
(server 1 and 2). But the proxy service on server1 can not be accessed
from outside.

I am not familiar with the output of iptables. Could the difference
explain why proxy on server1 is not accessible? Thanks.

server1:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:smtp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:http reject-with icmp-port-unreachable
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5900
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5901
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5902
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5903
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5904
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5905
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5906
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5907
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5900 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5901 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5902 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5903 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5904 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5905 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5906 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5907 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:imap2 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:imaps reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
server2:~$  sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5900
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5901
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5902
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5903
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5904
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5905
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5906
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:5907
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5900 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5901 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5902 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5903 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5904 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5905 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5906 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:5907 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:smtp reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:http reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:imap2 reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             tcp
dpt:imaps reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

-- 
Regards,
Peng
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥