On Jan 8, 2008 10:33 PM, Darragh <lists at digitaldarragh.com> wrote:
> Hello there,
> I may be stretching the functionality that one machine can provide and if
> so, that's fine but better to be sure about these things.
>>> On that machine with the squid proxy and the iptables set up that I spoke
> about during the weekend, I have a mail server running that delivers mail
> via imap and webmail.
> Imap is working perfectly and web mail is accessible from the lan but I
> cant access port 80 from the internet like i could before configuring
> iptables.
>> My thihnking was that because there are connections coming in on port 80
> and I've instructed iptables to forward all conections on port 80 to squid
> at 3028, it is seeing this connection on port 80 as something that needs
> to be forwarded as well.
>> I had an idea that that could be the cause of my problem but after
> thinking about it, that couldn't be as I can access the server over port
> 80 internally so it must be something I've done wrong somewhere.
>> my problem is, I cannot adiquitly read these blasted iptable entries.
> I've tried iptables -L -n and that is definitly more descriptive than -L
> on it's own but I'm still not seeing a reason why connections made from
> the internet are rejected.
>> here is the output of iptables.
>> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
> ACCEPT icmp -- 192.168.2.25 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67
> dpt:68
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1214
> DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1214
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpts:0:1023 state NEW LOG flags 0 level 4 prefix `LOW PORT TCP CONNECTION:
> '
> LOG udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp
> dpts:0:1023 LOG flags 0 level 4 prefix `LOW PORT UDP CONNECTION: '
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
> dpts:1024:65535 LOG flags 0 level 4 prefix `HIGH PORT UDP CONNECTION: '
> LOG udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp
> dpts:1024:65535 LOG flags 0 level 4 prefix `HIGH PORT UDP CONNECTION:'
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `NEW NOT SYN: '
> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
> level 4 prefix `ECHO: '
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:123
>> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>> can anyone tell me if I'm completely over looking something?
> Or, better again, is there a better way of understanding these iptables
> rules?
>> Thanks
>> Darragh
>forward only internal addresses to squid excluding request with server address
iptables -A PREROUTING -t nat -p tcp -i $INTERNAL_INTERFACE -d
!$SERVER_ADDRESS --dport 80 -j DNAT --to-destination
$SERVER_ADDRESS:3028
something like that
--
Pawel Bogucki
Skype: pbogu_
JabberID: pawel.bogucki at gmail.com
GSM: +353 85 8184879
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
