Re: Squid Accelerator configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reposting with some more information.  I've set iptables to drop-n-log bad 
packets and here's what I'm getting when I try and connect to my squid 
server. 
I'm not sure why these packets are being dropped as my rules are setup to 
allow and forward connections to port 80.  I'm not sure why port 113 is in 
the mix.
The relavent machines are:

192.168.1.1 - squidbox
192.168.1.5 - backend WWW server
192.168.1.205 - testing box/client

Jul 19 15:18:19 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.205 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
SPT=43600 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 
Jul 19 15:18:19 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54027 DF PROTO=TCP 
SPT=43601 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 
Jul 19 15:18:19 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54028 DF PROTO=TCP 
SPT=43595 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 
Jul 19 15:18:22 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.205 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
SPT=43600 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 
Jul 19 15:18:22 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54027 DF PROTO=TCP 
SPT=43601 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 
Jul 19 15:18:24 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.205 LEN=1423 TOS=0x00 PREC=0x00 TTL=64 ID=33313 DF PROTO=TCP 
SPT=80 DPT=42536 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 
Jul 19 15:18:28 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.205 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
SPT=43600 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 
Jul 19 15:18:28 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54027 DF PROTO=TCP 
SPT=43601 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 
Jul 19 15:18:41 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54027 DF PROTO=TCP 
SPT=43601 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 
Jul 19 15:18:45 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.205 LEN=1423 TOS=0x00 PREC=0x00 TTL=64 ID=33332 DF PROTO=TCP 
SPT=80 DPT=42539 WINDOW=6432 RES=0x00 ACK PSH URGP=0 
Jul 19 15:18:45 squidbox kernel: drop-n-log:IN= OUT=eth0 SRC=192.168.1.1 
DST=192.168.1.205 LEN=1423 TOS=0x00 PREC=0x00 TTL=64 ID=33332 DF PROTO=TCP 
SPT=80 DPT=42539 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0 
Jul 19 15:18:59 squidbox last message repeated 6 times

Again, any assistance would be greatly appreciated.  If you would like my 
complete iptables script, please let me know and I'll be happy to post.


Thanks.
---------------------
Jim Matthews 
ISS Systems Administrator 
Duke University - Perkins Library
Box 90196
Durham, NC 27708
Email: jim.matthews@xxxxxxxx
Voice: 919-660-5963
Fax: 919-684-6990



Jim Matthews/Libraries/Provost/Academic/Univ/Duke 
07/15/2004 10:46 AM

To
netfilter@xxxxxxxxxxxxxxxxxxx
cc

Subject
Squid Accelerator configuration





Hi

We have a backend web server.  To off-load some of the load from the 
backend server, we have a Squid server in front. 

I am having an issue with my iptables configuration on my Squid box. 
Everything works correctly when I disable the firewall (no good), so I'm 
having problems with my rules on the Squid server.  I want to configure 
the systems so that:

-On Squid-
-allow all requests from Internet to port 80
-allow all requests from WWW box to/from port 80

-On WWW-
-allow all forwarded requests to/from Squid Box to port 80
-do not allow requests from Internet to port 80

Has anyone setup something similar?  Any suggestions or pointers on how to 
configure this?

Here is the ruleset I'm using on my Squid box:

# Squid
# These rules are to allow testing from the internal network - the first 
two rules are for the Squid port
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 1024: --dport squid -m 
state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.1.0/24 -p tcp -m tcp --sport squid -m state --state 
ESTABLISHED -j ACCEPT

# These two rules are for the http port
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --sport 1024: --dport http -m 
state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.1.0/24 -p tcp -m tcp --sport http -m state --state 
ESTABLISHED -j ACCEPT

# These two rules should cover the forwarding of connections for the 
backend WWW server
-A FORWARD -s 0/0 -d 192.168.1.5 -p TCP --sport 1024:65535 --dport 80 -j 
ACCEPT
-A FORWARD -d 0/0 -s 192.168.1.5 -p TCP -m state --state ESTABLISHED -j 
ACCEPT

Any help you could give would be greatly appreciated.  Thanks.

Thanks.
---------------------
Jim Matthews 
ISS Systems Administrator 
Duke University - Perkins Library
Box 90196
Durham, NC 27708
Email: jim.matthews@xxxxxxxx
Voice: 919-660-5963
Fax: 919-684-6990



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux