Packets logged as blocked even Firewall (IPtables) accepts them ...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Packets logged as blocked even Firewall (IPtables) accepts them ...

Walter H.
Hello,

my Router Box runs a CentOS 6, with the EPEL squid34 RPM package

this the iptables
<BEGIN /etc/sysconfig/iptables>
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Allow multicast
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT

# Allow anything on the local link
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow anything out on LAN
-A OUTPUT -o br0 -j ACCEPT
# Allow established, related packets back in
-A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable DHCP for LAN
-A INPUT -i br0 -m udp -p udp --sport 67:68 --dport 67:68 -j ACCEPT

# Enable DNS-Cache for LAN
-A INPUT -i br0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m udp -p udp --dport 53 -j ACCEPT

# Enable SSH from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Enable HTTP/HTTPS from LAN (some gui interface)
-A INPUT -i br0 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Enable Squid-Proxy from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT

# Block STUN
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3478 -j REJECT
# Block TEREDO
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3544 -j REJECT

# Allow Forwarding to WAN interface
-A FORWARD -i br0 -o eth1 -j ACCEPT
# Allow established, related packets back through
-A FORWARD -i eth1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Only the lan is allowed to ping me without restriction
-A INPUT -i br0 -p icmp -j ACCEPT
# Else only pings with restricted icmp are allowed
-A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT

# Enable TRACEroute to me from LAN
-A INPUT -i br0 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
# Enable TRACEroute to me from internet
-A INPUT -i eth1 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT

# Log all other
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -j LOG  --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -j LOG  --log-prefix "IP[OUT]: " --log-level 7

COMMIT
<END /etc/sysconfig/iptables>

and these are logged entries:
(only partial, as they are many)

<BEGIN dmesg>
[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
[17-Jul-2017; 19:49:13.590236] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
[18-Jul-2017; 13:02:19.162684] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=28792 DF PROTO=TCP
SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK FIN URGP=0
[18-Jul-2017; 13:02:19.593099] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
DST=192.168.0.1 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=28797 DF PROTO=TCP
SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK PSH FIN URGP=0
<END dmesg>

192.168.0.1  is the router itself
192.168.0.10  is a VM running another squid, using the router box as
parent proxy
192.168.0.2   is my windows box

why are these packets blocked?

by the way the router box has of course more interfaces
a br0 (LAN) and eth1 (WAN), where can I ensure that squid only listens to
the LAN IP?

<BEGIN squid.conf>
acl localnet src 192.168.0.0/24

acl SSL_ports port 443
acl Safe_ports port 80                # http
acl Safe_ports port 21                # ftp
acl Safe_ports port 443                # https
acl Safe_ports port 70                # gopher
acl Safe_ports port 1025-65535        # unregistered ports
acl CONNECT method CONNECT

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

http_access deny to_localhost

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# and finally allow by default
http_reply_access allow all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 16400 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

acl crl-mime rep_mime_type application/x-pkcs7-crl
no_cache deny crl-mime

icon_directory /usr/share/squid/icons
error_directory /etc/squid/errors

logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined

refresh_pattern ^ftp:                1440        20%        10080
refresh_pattern ^gopher:        1440        0%        1440
refresh_pattern -i (/cgi-bin/|\?) 0        0%        0
refresh_pattern .                0        20%        4320
<END squid.conf>

Thanks,
Walter

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Packets logged as blocked even Firewall (IPtables) accepts them ...

Antony Stone
On Tuesday 18 July 2017 at 13:29:04, Walter H. wrote:

> Hello,
>
> my Router Box runs a CentOS 6, with the EPEL squid34 RPM package
>
> this the iptables
> <BEGIN /etc/sysconfig/iptables>

Does the output of "iptables -L -nvx" match the ruleset you've quoted here?

I'm just wondering whether the rules have got loaded properly.


Antony.

--
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Packets logged as blocked even Firewall (IPtables) accepts them ...

Matus UHLAR - fantomas
In reply to this post by Walter H.
On 18.07.17 14:29, Walter H. wrote:
>-A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

>-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT

>-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7

>[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
>MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
>DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
>SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0

it's a RST packet, apparently for connection that was already closed and
thus is not ESTABLISHED,RELATED nor NEW

logging state INVALID could explain

>by the way the router box has of course more interfaces
>a br0 (LAN) and eth1 (WAN), where can I ensure that squid only listens to
>the LAN IP?

here:
># Squid normally listens to port 3128
>http_port 3128

see http://www.squid-cache.org/Doc/config/http_port/

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Packets logged as blocked even Firewall (IPtables) accepts them ...

Walter H.
On Tue, July 18, 2017 15:28, Matus UHLAR - fantomas wrote:

> On 18.07.17 14:29, Walter H. wrote:
>>-A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>>-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT
>
>>-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
>
>>[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
>>MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
>>DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
>>SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
>
> it's a RST packet, apparently for connection that was already closed and
> thus is not ESTABLISHED,RELATED nor NEW
>
> logging state INVALID could explain

how would I do this?

Thanks,
Walter


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Packets logged as blocked even Firewall (IPtables) accepts them ...

Amos Jeffries
Administrator
On 19/07/17 01:37, Walter H. wrote:

> On Tue, July 18, 2017 15:28, Matus UHLAR - fantomas wrote:
>> On 18.07.17 14:29, Walter H. wrote:
>>> -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>>> -A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT
>>
>>> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
>>
>>> [17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
>>> MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
>>> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
>>> SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
>>
>> it's a RST packet, apparently for connection that was already closed and
>> thus is not ESTABLISHED,RELATED nor NEW
>>
>> logging state INVALID could explain
>
> how would I do this?


Add this line in your iptables config above the generic log ones:

  -A INPUT -i br0 -m state --state INVALID -j LOG --log-prefix "IP[IN]
INVALID]: " --log-level 7

(If you are newbie with iptables or not having a major 'Doh!' moment
reading the above config line, then I suggest you find some tutorials
and read up about using netfilter / iptables some starters can be found
at <http://netfilter.org/documentation/index.html>. You are likely to
find out a lot of little tips and tricks that are useful way beyond this
specific question and answers).


PS. This thread seems to have nothing to do with Squid.
<http://netfilter.org/mailinglists.html#ml-user> would be a more
appropriate place to seek this type of help in future.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Packets logged as blocked even Firewall (IPtables) accepts them ...

Walter H.
On Wed, July 19, 2017 03:21, Amos Jeffries wrote:

> On 19/07/17 01:37, Walter H. wrote:
>> On Tue, July 18, 2017 15:28, Matus UHLAR - fantomas wrote:
>>> On 18.07.17 14:29, Walter H. wrote:
>>>> -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>
>>>> -A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j
>>>> ACCEPT
>>>
>>>> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
>>>
>>>> [17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
>>>> MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
>>>> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
>>>> SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
>>>
>>> it's a RST packet, apparently for connection that was already closed
>>> and
>>> thus is not ESTABLISHED,RELATED nor NEW
>>>
>>> logging state INVALID could explain
>>
>> how would I do this?
>
>
> Add this line in your iptables config above the generic log ones:
>
>   -A INPUT -i br0 -m state --state INVALID -j LOG --log-prefix "IP[IN]
> INVALID]: " --log-level 7

I added these rules, and will see which packets are caught

-A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]: "
--log-level 7
-A FORWARD -m state --state INVALID -j LOG --log-prefix "IP[FWD(invalid)]:
" --log-level 7
-A OUTPUT -m state --state INVALID -j LOG --log-prefix "IP[OUT(invalid)]:
" --log-level 7

and not by these after:

-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Packets logged as blocked even Firewall (IPtables) accepts them ...

Antony Stone
On Wednesday 19 July 2017 at 10:16:30, Walter H. wrote:

> I added these rules, and will see which packets are caught
>
> -A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]: "
> --log-level 7
> -A FORWARD -m state --state INVALID -j LOG --log-prefix "IP[FWD(invalid)]:
> " --log-level 7
> -A OUTPUT -m state --state INVALID -j LOG --log-prefix "IP[OUT(invalid)]:
> " --log-level 7
>
> and not by these after:
>
> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
> -A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
> -A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7

Note that any packets caught by the first rules will *also* be caught by the
second rules (since there is no DROP in between, and the second rule does not
exclude INVALID), so don't be surprised when you see log entries from both
rules for the same packet.


Antony.

--
Python is executable pseudocode.
Perl is executable line noise.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Packets logged as blocked even Firewall (IPtables) accepts them ...

Walter H.
On Wed, July 19, 2017 11:31, Antony Stone wrote:

> On Wednesday 19 July 2017 at 10:16:30, Walter H. wrote:
>
>> I added these rules, and will see which packets are caught
>>
>> -A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]:
>> "
>> --log-level 7
>> -A FORWARD -m state --state INVALID -j LOG --log-prefix
>> "IP[FWD(invalid)]:
>> " --log-level 7
>> -A OUTPUT -m state --state INVALID -j LOG --log-prefix
>> "IP[OUT(invalid)]:
>> " --log-level 7
>>
>> and not by these after:
>>
>> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
>> -A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
>> -A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7
>
> Note that any packets caught by the first rules will *also* be caught by
> the
> second rules (since there is no DROP in between, and the second rule does
> not
> exclude INVALID),

how would I exclude INVALID in the second rules?


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Packets logged as blocked even Firewall (IPtables) accepts them ...

Antony Stone
On Wednesday 19 July 2017 at 10:40:36, Walter H. wrote:

> On Wed, July 19, 2017 11:31, Antony Stone wrote:
> > On Wednesday 19 July 2017 at 10:16:30, Walter H. wrote:
> >> I added these rules, and will see which packets are caught
> >>
> >> -A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]:
> >> " --log-level 7
> >> -A FORWARD -m state --state INVALID -j LOG --log-prefix
> >> "IP[FWD(invalid)]: " --log-level 7
> >> -A OUTPUT -m state --state INVALID -j LOG --log-prefix
> >> "IP[OUT(invalid)]: " --log-level 7
> >>
> >> and not by these after:
> >>
> >> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
> >> -A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
> >> -A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7
> >
> > Note that any packets caught by the first rules will *also* be caught by
> > the second rules (since there is no DROP in between, and the second rule
> > does not exclude INVALID),
>
> how would I exclude INVALID in the second rules?

If you really want to:

-A INPUT -m state ! --state INVALID -j LOG  --log-prefix....

Depending on how you enter this rule, you may need to shell-escape the ! so
that it doesn't get interpreted by bash etc.

The alternative (IMHO uglier) way of doing it would be:

-A INPUT -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-prefix....


Quoting from the iptables man page:

"   state
       This module, when combined with connection tracking, allows access to
the connection tracking state for this packet.

       [!] --state state
              Where state is a comma separated list of the connection states
to match.  Possible states are INVALID meaning that the packet could not be
identified for some reason which includes running out of memory and ICMP errors
which don't correspond to any known connection, ESTABLISHED meaning that the
packet is associated  with  a  connection which  has  seen packets in both
directions, NEW meaning that the packet has started a new connection, or
otherwise associated with a connection which has not seen packets in both
directions, and RELATED meaning that the packet is starting a new connection,
but is associated with an existing connection, such as an FTP data transfer,
or an ICMP error.  UNTRACKED meaning that the packet is not tracked at all,
which happens if you use the NOTRACK target in raw table."


Antony.

--
This email was created using 100% recycled electrons.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Packets logged as blocked even Firewall (IPtables) accepts them ...

Eliezer Croitoru
In reply to this post by Walter H.
Hey Walter,

Can you please paste the output of "iptables-save" for me?
It's easier for me to read plain iptables-save then iptables -Lnv or any other format.
Then I would be able to send you a file that you can just pull into iptables-restore which should work.

And just to clear out my doubts on the scenario:
Is the RST packets coming from the gateway(192.168.0.1) but for request from the local proxy(192.168.0.10).
To eliminate couple things, can you test the next rule on the GW:
Iptables -I INPUT -s 192.168.0.10 -j ACCEPT

And see if it changes anything at all?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Walter H.
Sent: Tuesday, July 18, 2017 15:29
To: [hidden email]
Subject: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

Hello,

my Router Box runs a CentOS 6, with the EPEL squid34 RPM package

this the iptables
<BEGIN /etc/sysconfig/iptables>
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Allow multicast
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT

# Allow anything on the local link
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow anything out on LAN
-A OUTPUT -o br0 -j ACCEPT
# Allow established, related packets back in -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable DHCP for LAN
-A INPUT -i br0 -m udp -p udp --sport 67:68 --dport 67:68 -j ACCEPT

# Enable DNS-Cache for LAN
-A INPUT -i br0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m udp -p udp --dport 53 -j ACCEPT

# Enable SSH from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Enable HTTP/HTTPS from LAN (some gui interface) -A INPUT -i br0 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Enable Squid-Proxy from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT

# Block STUN
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3478 -j REJECT # Block TEREDO -A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3544 -j REJECT

# Allow Forwarding to WAN interface
-A FORWARD -i br0 -o eth1 -j ACCEPT
# Allow established, related packets back through -A FORWARD -i eth1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Only the lan is allowed to ping me without restriction -A INPUT -i br0 -p icmp -j ACCEPT # Else only pings with restricted icmp are allowed -A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT

# Enable TRACEroute to me from LAN
-A INPUT -i br0 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT # Enable TRACEroute to me from internet -A INPUT -i eth1 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT

# Log all other
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7 -A FORWARD -j LOG  --log-prefix "IP[FWD]: " --log-level 7 -A OUTPUT -j LOG  --log-prefix "IP[OUT]: " --log-level 7

COMMIT
<END /etc/sysconfig/iptables>

and these are logged entries:
(only partial, as they are many)

<BEGIN dmesg>
[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [17-Jul-2017; 19:49:13.590236] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [18-Jul-2017; 13:02:19.162684] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=28792 DF PROTO=TCP
SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK FIN URGP=0 [18-Jul-2017; 13:02:19.593099] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
DST=192.168.0.1 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=28797 DF PROTO=TCP
SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK PSH FIN URGP=0 <END dmesg>

192.168.0.1  is the router itself
192.168.0.10  is a VM running another squid, using the router box as parent proxy
192.168.0.2   is my windows box

why are these packets blocked?

by the way the router box has of course more interfaces a br0 (LAN) and eth1 (WAN), where can I ensure that squid only listens to the LAN IP?

<BEGIN squid.conf>
acl localnet src 192.168.0.0/24

acl SSL_ports port 443
acl Safe_ports port 80                # http
acl Safe_ports port 21                # ftp
acl Safe_ports port 443                # https
acl Safe_ports port 70                # gopher
acl Safe_ports port 1025-65535        # unregistered ports
acl CONNECT method CONNECT

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports

http_access deny to_localhost

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy http_access deny all

# and finally allow by default
http_reply_access allow all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 16400 16 256

# Leave coredumps in the first cache dir coredump_dir /var/spool/squid

acl crl-mime rep_mime_type application/x-pkcs7-crl no_cache deny crl-mime

icon_directory /usr/share/squid/icons
error_directory /etc/squid/errors

logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/access.log combined

refresh_pattern ^ftp:                1440        20%        10080
refresh_pattern ^gopher:        1440        0%        1440
refresh_pattern -i (/cgi-bin/|\?) 0        0%        0
refresh_pattern .                0        20%        4320
<END squid.conf>

Thanks,
Walter

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Packets logged as blocked even Firewall (IPtables) accepts them ...

Walter H.
Hello Eliezer,

it is just this:

# Generated by iptables-save v1.4.7 on Wed Jul 19 20:25:22 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -p icmp -j ACCEPT
-A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT
-A INPUT -i br0 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j
ACCEPT
-A INPUT -i eth1 -p udp -m udp --sport 32769:65535 --dport 33434:33523
-j ACCEPT
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -i br0 -o eth1 -p udp -m udp --dport 3478 -j REJECT
--reject-with icmp-port-unreachable
-A FORWARD -i br0 -o eth1 -p udp -m udp --dport 3544 -j REJECT
--reject-with icmp-port-unreachable
-A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7
COMMIT
# Completed on Wed Jul 19 20:25:22 2017

Walter

On 19.07.2017 20:03, Eliezer Croitoru wrote:

> Hey Walter,
>
> Can you please paste the output of "iptables-save" for me?
> It's easier for me to read plain iptables-save then iptables -Lnv or any other format.
> Then I would be able to send you a file that you can just pull into iptables-restore which should work.
>
> And just to clear out my doubts on the scenario:
> Is the RST packets coming from the gateway(192.168.0.1) but for request from the local proxy(192.168.0.10).
> To eliminate couple things, can you test the next rule on the GW:
> Iptables -I INPUT -s 192.168.0.10 -j ACCEPT
>
> And see if it changes anything at all?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of Walter H.
> Sent: Tuesday, July 18, 2017 15:29
> To: [hidden email]
> Subject: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...
>
> Hello,
>
> my Router Box runs a CentOS 6, with the EPEL squid34 RPM package
>
> this the iptables
> <BEGIN /etc/sysconfig/iptables>
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
>
> # Allow multicast
> -A INPUT -d 224.0.0.0/4 -j ACCEPT
> -A OUTPUT -d 224.0.0.0/4 -j ACCEPT
>
> # Allow anything on the local link
> -A INPUT -i lo -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
>
> # Allow anything out on LAN
> -A OUTPUT -o br0 -j ACCEPT
> # Allow established, related packets back in -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Enable DHCP for LAN
> -A INPUT -i br0 -m udp -p udp --sport 67:68 --dport 67:68 -j ACCEPT
>
> # Enable DNS-Cache for LAN
> -A INPUT -i br0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m udp -p udp --dport 53 -j ACCEPT
>
> # Enable SSH from LAN
> -A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT
>
> # Enable HTTP/HTTPS from LAN (some gui interface) -A INPUT -i br0 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT
>
> # Enable Squid-Proxy from LAN
> -A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT
>
> # Block STUN
> -A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3478 -j REJECT # Block TEREDO -A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3544 -j REJECT
>
> # Allow Forwarding to WAN interface
> -A FORWARD -i br0 -o eth1 -j ACCEPT
> # Allow established, related packets back through -A FORWARD -i eth1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Only the lan is allowed to ping me without restriction -A INPUT -i br0 -p icmp -j ACCEPT # Else only pings with restricted icmp are allowed -A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT
>
> # Enable TRACEroute to me from LAN
> -A INPUT -i br0 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT # Enable TRACEroute to me from internet -A INPUT -i eth1 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
>
> # Log all other
> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7 -A FORWARD -j LOG  --log-prefix "IP[FWD]: " --log-level 7 -A OUTPUT -j LOG  --log-prefix "IP[OUT]: " --log-level 7
>
> COMMIT
> <END /etc/sysconfig/iptables>
>
> and these are logged entries:
> (only partial, as they are many)
>
> <BEGIN dmesg>
> [17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
> SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [17-Jul-2017; 19:49:13.590236] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
> SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [18-Jul-2017; 13:02:19.162684] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=28792 DF PROTO=TCP
> SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK FIN URGP=0 [18-Jul-2017; 13:02:19.593099] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
> DST=192.168.0.1 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=28797 DF PROTO=TCP
> SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK PSH FIN URGP=0<END dmesg>
>
> 192.168.0.1  is the router itself
> 192.168.0.10  is a VM running another squid, using the router box as parent proxy
> 192.168.0.2   is my windows box
>
> why are these packets blocked?
>
> by the way the router box has of course more interfaces a br0 (LAN) and eth1 (WAN), where can I ensure that squid only listens to the LAN IP?
>
> <BEGIN squid.conf>
> acl localnet src 192.168.0.0/24
>
> acl SSL_ports port 443
> acl Safe_ports port 80                # http
> acl Safe_ports port 21                # ftp
> acl Safe_ports port 443                # https
> acl Safe_ports port 70                # gopher
> acl Safe_ports port 1025-65535        # unregistered ports
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports
>
> http_access deny to_localhost
>
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy http_access deny all
>
> # and finally allow by default
> http_reply_access allow all
>
> # Squid normally listens to port 3128
> http_port 3128
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /var/spool/squid 16400 16 256
>
> # Leave coredumps in the first cache dir coredump_dir /var/spool/squid
>
> acl crl-mime rep_mime_type application/x-pkcs7-crl no_cache deny crl-mime
>
> icon_directory /usr/share/squid/icons
> error_directory /etc/squid/errors
>
> logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/access.log combined
>
> refresh_pattern ^ftp:                1440        20%        10080
> refresh_pattern ^gopher:        1440        0%        1440
> refresh_pattern -i (/cgi-bin/|\?) 0        0%        0
> refresh_pattern .                0        20%        4320
> <END squid.conf>
>
> Thanks,
> Walter
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Packets logged as blocked even Firewall (IPtables) accepts them ...

Eliezer Croitoru
Hey Walter,

Something is still missing to me about the network and network interfaces.
I need the output of:
ip a
brctl show br0

And try to apply the next iptables rules to see if it works OK for you:
http://ngtech.co.il/paste/1782/raw/

From what I understand the proxy is just another machine in the network so the I do not understand what for the br0 and what is eth1...
If eth1 is under br0 you should not apply any rules on the eth1 and remove any ip address from eth1.
Also the FORWARD rules should not be required unless you are using the squid machine as a Gateway and from your description it's not the goal so a simple DROP all should be fine.
Also if you have followed some tutorial to setup your iptables and\or squid It will help me to see these since for squid as far as I know you don't need:
-A INPUT -d 224.0.0.0/4 -j ACCEPT

Or similar rules.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: Walter H. [mailto:[hidden email]]
Sent: Wednesday, July 19, 2017 21:38
To: Eliezer Croitoru <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

Hello Eliezer,

it is just this:

# Generated by iptables-save v1.4.7 on Wed Jul 19 20:25:22 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -p icmp -j ACCEPT
-A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT
-A INPUT -i br0 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j
ACCEPT
-A INPUT -i eth1 -p udp -m udp --sport 32769:65535 --dport 33434:33523
-j ACCEPT
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -i br0 -o eth1 -p udp -m udp --dport 3478 -j REJECT
--reject-with icmp-port-unreachable
-A FORWARD -i br0 -o eth1 -p udp -m udp --dport 3544 -j REJECT
--reject-with icmp-port-unreachable
-A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7
COMMIT
# Completed on Wed Jul 19 20:25:22 2017

Walter

On 19.07.2017 20:03, Eliezer Croitoru wrote:

> Hey Walter,
>
> Can you please paste the output of "iptables-save" for me?
> It's easier for me to read plain iptables-save then iptables -Lnv or any other format.
> Then I would be able to send you a file that you can just pull into iptables-restore which should work.
>
> And just to clear out my doubts on the scenario:
> Is the RST packets coming from the gateway(192.168.0.1) but for request from the local proxy(192.168.0.10).
> To eliminate couple things, can you test the next rule on the GW:
> Iptables -I INPUT -s 192.168.0.10 -j ACCEPT
>
> And see if it changes anything at all?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of Walter H.
> Sent: Tuesday, July 18, 2017 15:29
> To: [hidden email]
> Subject: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...
>
> Hello,
>
> my Router Box runs a CentOS 6, with the EPEL squid34 RPM package
>
> this the iptables
> <BEGIN /etc/sysconfig/iptables>
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
>
> # Allow multicast
> -A INPUT -d 224.0.0.0/4 -j ACCEPT
> -A OUTPUT -d 224.0.0.0/4 -j ACCEPT
>
> # Allow anything on the local link
> -A INPUT -i lo -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
>
> # Allow anything out on LAN
> -A OUTPUT -o br0 -j ACCEPT
> # Allow established, related packets back in -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Enable DHCP for LAN
> -A INPUT -i br0 -m udp -p udp --sport 67:68 --dport 67:68 -j ACCEPT
>
> # Enable DNS-Cache for LAN
> -A INPUT -i br0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m udp -p udp --dport 53 -j ACCEPT
>
> # Enable SSH from LAN
> -A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT
>
> # Enable HTTP/HTTPS from LAN (some gui interface) -A INPUT -i br0 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT
>
> # Enable Squid-Proxy from LAN
> -A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT
>
> # Block STUN
> -A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3478 -j REJECT # Block TEREDO -A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3544 -j REJECT
>
> # Allow Forwarding to WAN interface
> -A FORWARD -i br0 -o eth1 -j ACCEPT
> # Allow established, related packets back through -A FORWARD -i eth1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Only the lan is allowed to ping me without restriction -A INPUT -i br0 -p icmp -j ACCEPT # Else only pings with restricted icmp are allowed -A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT
>
> # Enable TRACEroute to me from LAN
> -A INPUT -i br0 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT # Enable TRACEroute to me from internet -A INPUT -i eth1 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
>
> # Log all other
> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7 -A FORWARD -j LOG  --log-prefix "IP[FWD]: " --log-level 7 -A OUTPUT -j LOG  --log-prefix "IP[OUT]: " --log-level 7
>
> COMMIT
> <END /etc/sysconfig/iptables>
>
> and these are logged entries:
> (only partial, as they are many)
>
> <BEGIN dmesg>
> [17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
> SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [17-Jul-2017; 19:49:13.590236] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
> SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [18-Jul-2017; 13:02:19.162684] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=28792 DF PROTO=TCP
> SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK FIN URGP=0 [18-Jul-2017; 13:02:19.593099] IP[IN]: IN=br0 OUT=
> MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
> DST=192.168.0.1 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=28797 DF PROTO=TCP
> SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK PSH FIN URGP=0<END dmesg>
>
> 192.168.0.1  is the router itself
> 192.168.0.10  is a VM running another squid, using the router box as parent proxy
> 192.168.0.2   is my windows box
>
> why are these packets blocked?
>
> by the way the router box has of course more interfaces a br0 (LAN) and eth1 (WAN), where can I ensure that squid only listens to the LAN IP?
>
> <BEGIN squid.conf>
> acl localnet src 192.168.0.0/24
>
> acl SSL_ports port 443
> acl Safe_ports port 80                # http
> acl Safe_ports port 21                # ftp
> acl Safe_ports port 443                # https
> acl Safe_ports port 70                # gopher
> acl Safe_ports port 1025-65535        # unregistered ports
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports
>
> http_access deny to_localhost
>
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy http_access deny all
>
> # and finally allow by default
> http_reply_access allow all
>
> # Squid normally listens to port 3128
> http_port 3128
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /var/spool/squid 16400 16 256
>
> # Leave coredumps in the first cache dir coredump_dir /var/spool/squid
>
> acl crl-mime rep_mime_type application/x-pkcs7-crl no_cache deny crl-mime
>
> icon_directory /usr/share/squid/icons
> error_directory /etc/squid/errors
>
> logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/access.log combined
>
> refresh_pattern ^ftp:                1440        20%        10080
> refresh_pattern ^gopher:        1440        0%        1440
> refresh_pattern -i (/cgi-bin/|\?) 0        0%        0
> refresh_pattern .                0        20%        4320
> <END squid.conf>
>
> Thanks,
> Walter
>



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...