Re: squid or iptables big problem !

[Marcello Romani <mromani@xxxxxxxxxxxxxxx>]

Il 11/03/2010 9.21, Hubert Choma ha scritto:
> Hello
> Please check my configs. I don't know it's a problem with squid config
> (transparent 8080) or iptables. Pages are loading very very slow
> sometimes I receive error  DNS timeout and clients can't connect to WWW
> sites. I open ports 53 UDP and TCP on my firewall CENTOS 5.4. My
> Linuxbox is configured as a router. I have redirected 80,21,9999(ssh)
> ports on my hardware router to linux 192.168.1.2
>
> How can I debug squid to check it is a firewall problem ?
>
> In resolv.conf I have write down IP of hardware router and IP's of my
> internet provider DNS so it shouldn't be a problem with DNS ?!
>
> resolv.conf
> nameserver 192.168.1.1
> nameserver 194.204.152.34
> nameserver 194.204.159.1
>
> My net topology
> 192.168.1.1(UTM hardware router)---192.168.1.2 CENOTS router with
> transparent squid--192.168.0.0/24 LAN clients
>
> eth0 WAN -192.168.1.2 (static IP)
> eth1 LAN -192.168.0.1 (static IP)
> Squid 2.6 stable 21
>
> Maybe its iptables config problem ? Please HELP
> Your help will be appreciated !!!
>
> iptables
>
> #!/bin/sh
> modprobe ip_nat
> modprobe ip_conntrack_ftp
> modprobe ip_conntrack
> iptables -F
> iptables -X
> iptables -t nat -F
> iptables -t nat -X
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP

IME you should start with an all-ACCEPT iptables config, with no 
restriction on traffic, and concentrate on the redirect rules.
If you manage to make the whole thing work with that way, then you can 
turn to DROP default policies and slectivily enable traffic.
On the other hand, if it doesn't work even with a permissive fw setup 
then you know it's likely to be a squid problem.

> iptables -P OUTPUT ACCEPT
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> iptables -A INPUT -i lo -j ACCEPT
> #iptables -A OUTPUT -o lo -j ACCEPT it is necessary ??
>
> iptables -A INPUT -i eth1 -j ACCEPT
> iptables -A FORWARD -i eth1 -j ACCEPT

You are allowing all the traffic originating from the LAN to go to the 
internet (I assume the UTM hw fw is the last hop before the 'net).
Nothing wrong with this, but beware that this means you are not blocking 
any p2p, non-proxy http requests, IM protocols, etc.
Maybe the blocking is done at the UTM hardware router ?

> iptables -A OUTPUT -o eth1 -j ACCEPT
>
> # RDP
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT
> --to-destination 192.168.0.6:3389

RDP directly from the public IP to the internal machine ? Not very 
secure IMHO.
I use ssh port forwarding.

> iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -j ACCEPT

Is this really needed ?

> #DraytekSyslog
> iptables -t nat -I PREROUTING -p udp -i eth0 -d 0/0 --dport 514 -j DNAT
> --to 192.168.0.6
> iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 514 -j ACCEPT

See above

> # DNS
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j DNAT
> --to-destination 192.168.0.1:53
> iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT
> --to-destination 192.168.0.1:53
> iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 53 -j ACCEPT
> iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 53 -j ACCEPT

Are you running a DNS for public use ?

> iptables -A INPUT -i eth1 -p tcp --dport 53 -j ACCEPT
> iptables -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT

These two rules make sense. But they're superfluous since all traffic -i 
eth1 is ACCEPTed in FORWARD chain.

> # SERVICES
> iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 80  -j ACCEPT
> iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 5432 -j ACCEPT
> iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 9999 -j ACCEPT
> iptables -A INPUT -i eth0 -d 192.168.1.2 -p tcp --dport 21 -j ACCEPT
>
> #NAT
> iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp
> --dport 80 -j DNAT --to-destination 192.168.0.1:8080
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT
> --to-source 192.168.1.2
>
>
> squid.conf
>
> http_port 192.168.0.1:8080 transparent
> dns_nameservers 192.168.1.1 194.204.152.34 194.204.159.1
> acl localnet src 192.168.0.0/24
> acl windowsupdate dstdomain windowsupdate.microsoft.com
> acl windowsupdate dstdomain .update.microsoft.com
> acl windowsupdate dstdomain download.windowsupdate.com
> acl windowsupdate dstdomain redir.metaservices.microsoft.com
> acl windowsupdate dstdomain images.metaservices.microsoft.com
> acl windowsupdate dstdomain c.microsoft.com
> acl windowsupdate dstdomain www.download.windowsupdate.com
> acl windowsupdate dstdomain wustat.windows.com
> acl windowsupdate dstdomain crl.microsoft.com
> acl windowsupdate dstdomain sls.microsoft.com
> acl windowsupdate dstdomain productactivation.one.microsoft.com
> acl windowsupdate dstdomain ntservicepack.microsoft.com
>
> acl CONNECT method CONNECT
> acl wuCONNECT dstdomain www.update.microsoft.com
> acl wuCONNECT dstdomain sls.microsoft.com
>
> http_access allow CONNECT wuCONNECT localnet
> http_access allow windowsupdate localnet
> range_offset_limit -1
> quick_abort_min -1
>
> acl ftp proto FTP
> http_access allow ftp
> cache_vary on
>
> #MY ACL's (only allowed sites in file dozwolone.txt are allowed for
> ograniczone_komputery other sites are prohibited)
> acl all src 0.0.0.0/0.0.0.0
> cache allow all
> acl dozwolone dstdomain -i "/etc/squid/dozwolone.txt"
> acl ograniczone_komputery src 192.168.0.2 192.168.0.3 192.168.0.4
> 192.168.0.9 192.168.0.10
> acl nieograniczone src 192.168.0.5 192.168.0.6 192.168.0.7 192.168.0.8
> acl poczta dstdom_regex .*poczta. .*mail.
>
> http_access allow dozwolone ograniczone_komputery !poczta
> http_access allow nieograniczone
> http_access deny all
>
>
> # DEFAULT ACL
> #acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> cache_mgr hubert@xxxxx
> cachemgr_passwd mypassword
> acl localhost src 127.0.0.1/255.255.255.255
> acl dostep_stats src 192.168.0.0/24
>
> http_access allow manager localhost
> http_access allow manager dostep_stats
> #http_access deny manager
> http_access allow all
>
> acl SSL_ports port 443
> acl Safe_ports port 80		# http
> acl Safe_ports port 21		# ftp
> acl Safe_ports port 443		# https
> acl Safe_ports port 70		# gopher
> acl Safe_ports port 210		# wais
> acl Safe_ports port 1025-65535	# unregistered ports
> acl Safe_ports port 280		# http-mgmt
> acl Safe_ports port 488		# gss-http
> acl Safe_ports port 591		# filemaker
> acl Safe_ports port 777		# multiling http
> acl CONNECT method CONNECT
>
>
> #http_access allow all
> ##http_access allow manager localhost
> ##http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny all
> icp_access allow all
>
>
> #hierarchy_stoplist cgi-bin ?
> #acl QUERY urlpath_regex cgi-bin \?
> #cache deny QUERY
> cache_mem 20 MB
> maximum_object_size_in_memory 8 MB
> maximum_object_size 750 MB
>
> #cache on XFS partition
> cache_dir aufs /mnt/sdb/squid 2000 16 256
> access_log /var/log/squid/access.log squid
> error_directory /usr/share/squid/errors/Polish
> refresh_pattern ^ftp:		1440	20%	10080
> #refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern .		0	20%	4320
>
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> coredump_dir /var/spool/squid

HTH

Marcello