Thanks Chris, I got rid of a lot of redundancy and replaced general rules much more specific ones (e.g. SSH et al have source/destination ip space constraints)...everything seems to be working fine now! -----Original Message----- From: Chris Robertson [mailto:crobertson@xxxxxxx] Sent: Monday, February 06, 2006 10:59 AM To: squid-users@xxxxxxxxxxxxxxx Subject: RE: Squid and iptables - need help Hi... > -----Original Message----- > From: Gregori Parker [mailto:gregori@xxxxxxxxxxxxxx] > Sent: Friday, February 03, 2006 10:25 AM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Squid and iptables - need help > > > I have just deployed a cluster of squid caching servers in > reverse proxy > mode, and am having trouble with iptables. When iptables is > turned on, > I can hit the caching servers, but squid times out trying to pull from > the origin servers (in our other datacenters). > > I'm thinking that if I add outgoing rules for our other datacenters, > everything should be fine, but they are now in production and I cant > simply test at will...I'm planning on adding these lines, can anyone > tell me if this will fix my timeout problem when squid tries to pull > from the origin servers? I'm green on iptables configuration, so any > advice in general is welcome! Sorry for the long email, and > thank you! > > Lines I plan to add: > > # Allow anything *to* our various datacenters > $IPTABLES -A OUTPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT > $IPTABLES -A OUTPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT > $IPTABLES -A OUTPUT -d XX.XX.XX.X/26 -p all -j ACCEPT > Replace. Don't add... > > Or maybe I can just add this instead: > > $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > This would be the same thing as "$IPTABLES --policy OUTPUT ALLOW". > > Here's the current iptables script: > -------------------------------------------------------------- > ---------- > - > #!/bin/sh > > LAN="eth1" > INTERNET="eth0" > IPTABLES="/sbin/iptables" > > # Drop ICMP echo-request messages sent to broadcast or multicast > addresses > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > > # Drop source routed packets > echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route > > # Enable TCP SYN cookie protection from SYN floods > echo 1 > /proc/sys/net/ipv4/tcp_syncookies > > # Don't accept ICMP redirect messages > echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects > > # Don't send ICMP redirect messages > echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects > > # Enable source address spoofing protection > echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter > > # Log packets with impossible source addresses > echo 1 > /proc/sys/net/ipv4/conf/all/log_martians > > # Flush all chains > $IPTABLES --flush > > # Allow unlimited traffic on the loopback interface > $IPTABLES -A INPUT -i lo -j ACCEPT > $IPTABLES -A OUTPUT -o lo -j ACCEPT > > # Set default policies > $IPTABLES --policy INPUT DROP > $IPTABLES --policy OUTPUT DROP > $IPTABLES --policy FORWARD DROP > > # Previously initiated and accepted exchanges bypass rule checking > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > Change these lines... > # Allow anything from our various datacenters > $IPTABLES -A INPUT -s XX.XX.XXX.XXX/26 -p all -j ACCEPT > $IPTABLES -A INPUT -s XX.XX1.XXX.X/26 -p all -j ACCEPT > $IPTABLES -A INPUT -s XX.XX.XX.X/26 -p all -j ACCEPT > ...to... # Allow anything from our various datacenters $IPTABLES -A OUPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT $IPTABLES -A OUPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT $IPTABLES -A OUPUT -d XX.XX.XXX.X/26 -p all -j ACCEPT ... and Squid will be able to query your datacenters. Responses will be allowed by the "--state ESTABLISHED,RELATED" rule. It would probably be a good idea to make this rule a bit more stringent (only allow TCP on port 80, or what-have-you). But it's a good start. > # Allow incoming port 22 (ssh) connections on external interface > $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 > -m state \ > --state NEW -j ACCEPT > I'd REALLY strongly recommend you limit which hosts can connect to port 22. There are no shortage of SSH scanners in the wild. > # Allow incoming port 4827 (squid-htcp) connections on external > interface > $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port > 4827 -m state > \ > --state NEW -j ACCEPT > > # Allow incoming port 80 (http) connections on external interface > $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80 > -m state \ > --state NEW -j ACCEPT > > # Allow ICMP ECHO REQUESTS > $IPTABLES -A INPUT -i $INTERNET -p icmp --icmp-type echo-request -j > ACCEPT > $IPTABLES -A INPUT -p icmp -j ACCEPT > $IPTABLES -A OUTPUT -p icmp -j ACCEPT > > > # Allow DNS resolution > $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 > -m state \ > --state NEW -j ACCEPT > $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 > -m state \ > --state NEW -j ACCEPT > > # Allow ntp synchronization > $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port > 123 -m state > \ > --state NEW -j ACCEPT > > # allow anything on the trusted interface > $IPTABLES -A INPUT -i $LAN -p all -j ACCEPT > $IPTABLES -A OUTPUT -o $LAN -p all -j ACCEPT > > # Have these rules take effect when iptables is started > /sbin/service iptables save > > -------------------------------------------------------------- > > Chris
