Thanks you very much AMOS it is working, i need one more suggestion from you what could be the reason of Unloading iptables modules: [FAILED] Regards, Yogesh On 1/26/08, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > Seems I got bored and looked at your problem anyway ... > > Yogesh Patil wrote: > > * Sorry for dulipcate messages, i don't know that it doesn;'t supports > > big attachment > > > > Hello, > > I am using SQUID 2.6.STABLE17 with fedora core 8, & BIND > > DNS SERVER configured on the same box, i have configured squid as > > transparent proxy, and applied iptables rule by using the following > > command > > > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT > > --to-port 3128 > > > > service iptables save > > > > so when i restart iptables after appling & saving above i > > get following: > > > > Flushing firewall rules: [ OK ] > > Setting chains to policy ACCEPT: filter nat [ OK ] > > Unloading iptables modules: [FAILED] > > Applying iptables firewall rules: [ OK ] > > Loading additional iptables modules: nf_conntrack_netbios_n[ OK ] > > > > so if i try to ping to (any public ip) from client PC after > > enabling iptables i get request time out, but i can browse websites > > without any problem, and if i disable iptables i can get reply from > > > > the (public ip) to which i am pinging and browsing also works. also > > checked DNS resolution it works perfectly as browsing works. > > > > so i would like to know what is the reason of stopping ping > > after enabling iptables and why i am getting Unloading iptables > > modules FAILED. > > > > HERE IS MY /etc/iptables FILE > > # Generated by iptables-save v1.3.8 on Sat Jan 26 17:51:31 2008 > > *nat > > :PREROUTING ACCEPT [5:862] > > :POSTROUTING ACCEPT [0:0] > > :OUTPUT ACCEPT [0:0] > > -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 > > COMMIT > > # Completed on Sat Jan 26 17:51:31 2008 > > # Generated by iptables-save v1.3.8 on Sat Jan 26 17:51:31 2008 > > *filter > > :INPUT ACCEPT [0:0] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [5:454] > > :RH-Firewall-1-INPUT - [0:0] > > -A INPUT -j RH-Firewall-1-INPUT > > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > > -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT > > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT > > This ICMP ACCEPT is in INPUT chain. > FORWARD chain contains only a global REJECT which will aturally block > ICMP, UDP, TCP and everythign else being forwarded. > > Transparent-Squid only works because www packets now secretly going to > localhost via INPUT and OUTPUT without entering FORWARD chain. > > Try adding: > -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT > > ahead of the first "-A FORWARD" line. > Or reconsidering your FORWARD content entirely. > > > > -A RH-Firewall-1-INPUT -p esp -j ACCEPT > > -A RH-Firewall-1-INPUT -p ah -j ACCEPT > > -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT > > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT > > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT > > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT > > -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT > > -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT > > -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3128 > > -j ACCEPT > > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > > COMMIT > > # Completed on Sat Jan 26 17:51:31 2008 > > > > > > > > > > THANKS IN ADVANCE > > > > > > > > -- > > Regards, > > Yogesh Patil > > > -- > Please use Squid 2.6STABLE17+ or 3.0STABLE1+ > There are serious security advisories out on all earlier releases. > -- Regards, Yogesh Patil Technotux Solutions 33/114, Gandhi Nagar, Jilha Peth, Jalgaon - 425001 Maharashtra, INDIA Phone :- +91-257-2235596 Mobile:- +91-9890931432, 9422778329
