Find the answer to your Linux question:
Results 1 to 2 of 2
G'day All, I want to setup SSH to my squid box, but i believe that my iptables are blocking access. Background Info I have set up a squid proxy server ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie
    Join Date
    Jul 2005
    Location
    Australia (Down Under)
    Posts
    141

    [SOLVED] Help with my IPTABLES (simple I hope)


    G'day All,

    I want to setup SSH to my squid box, but i believe that my iptables are blocking access.

    Background Info

    I have set up a squid proxy server with 2 nics at home. The reason for 2 nics is to force all PC's to go through my proxy transparently. This is all working fine!

    my setup is as follows (hope you can follow )
    Internet - Router - eth2 Squid Box eth0 - LAN Computers

    FYI Squid box does DHCP and all of my clients, get ip from it and its the default gateway.

    I know how to setup port forwarding on my router and have done so many times before, so i imagine that i am being blocked by my iptables

    My IPTABLES are set from a script when my squid box starts up. the script is as follows. Sorry i cant cut it down, as im not sure what is relevant and what is not!

    Iptables:

    #!/bin/sh
    # squid server IP
    SQUID_SERVER="192.168.2.254"
    # Interface connected to Internet
    INTERNET="eth2"
    # Interface connected to LAN
    LAN_IN="eth0"
    # Squid port
    SQUID_PORT="8080"
    # DO NOT MODIFY BELOW
    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    # Load IPTABLES modules for NAT and IP conntrack support
    ####modprobe ip_conntrack
    ####modprobe ip_conntrack_ftp
    # For win xp ftp client
    #modprobe ip_nat_ftp
    ####echo 1 > /proc/sys/net/ipv4/ip_forward
    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # Allow UDP, DNS and Passive FTP
    iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
    # set this system as a router for Rest of LAN
    iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
    ####iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
    # unlimited access to LAN
    iptables -A INPUT -i $LAN_IN -j ACCEPT
    iptables -A OUTPUT -o $LAN_IN -j ACCEPT
    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
    # if it is same system
    iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP


    Another FYI:
    From behind the Proxy (in the LAN) i can ssh to both interfaces with no problem, i just cant port forward to the one on the "Wan" Side.

    Also i only have two nics in the box but im not sure why I have eth0 and eth2 not an eth1 - to be honnest i dont really care

    Running Debian Lenny
    Both NICS have static IP
    Box Issues DHCP

    Thanks for your help!!
    Linux is the OS of tomorrow, Here today!!

  2. #2
    Linux Newbie
    Join Date
    Jul 2005
    Location
    Australia (Down Under)
    Posts
    141

    Thumbs up Solved - PEBCAK Issue

    Hi All,

    I have resolved my issue, the issue was with IPTABLES as I had expected. (Point to self)

    the problem was I was adding the allow SSH in my IPTABLES at the end of the script. IE before the "Block" and the rule wasn't being read by IPTABLES.

    so my script now looks like this:

    #!/bin/sh
    # squid server IP
    SQUID_SERVER="192.168.2.254"
    # Interface connected to Internet
    INTERNET="eth2"
    # Interface connected to LAN
    LAN_IN="eth0"
    # Squid port
    SQUID_PORT="8080"
    # DO NOT MODIFY BELOW
    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    # Load IPTABLES modules for NAT and IP conntrack support
    ####modprobe ip_conntrack
    ####modprobe ip_conntrack_ftp
    # For win xp ftp client
    #modprobe ip_nat_ftp
    ####echo 1 > /proc/sys/net/ipv4/ip_forward
    # Setting default filter policy
    iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # Allow UDP, DNS and Passive FTP
    iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
    # set this system as a router for Rest of LAN
    iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
    ####iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
    # unlimited access to LAN
    iptables -A INPUT -i $LAN_IN -j ACCEPT
    iptables -A OUTPUT -o $LAN_IN -j ACCEPT
    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
    # if it is same system
    iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP


    (Remove Point from self)
    So my score is Nil!

    If this helps anyone, anyone at all i would love to hear a resonse!!
    Linux is the OS of tomorrow, Here today!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •