FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 04-14-2012, 08:46 AM
Joe
 
Default Squid as default gateway in proxy mode.

On Sat, 14 Apr 2012 13:04:08 +0500
Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:

> i have lately installed SQUID proxy and to avail all the facilities
> i am using it as Proxy mod not as Transparent mode neither i wanted
> to.
>
> now the problem part is i want to ping outside host to verify the
> connectivity of internet for that all the time i have to open the SSH
> the console and ping. but what i want is, i should also ping it from
> host computers as well. however i don't want to NAT all the traffic
> coming from inside and going outside. rather what i want is just to
> NAT only ICMP Echo Rep and Req so that i can at least ping outside
> host with out SSH the Squid console. which is very bothering.
> My network diagram is very simple
>
>
> <Squid
> Box>--------eth0(192.18.30.2)----------------------<192.168.30.1-ISP
> Router>
> I
> I
> eth1(192.168.1.1)
> I
> I
> (local network 192.168.1.0/24)
>
>
> And why i am using Squid as a Gateway because i just want to minimize
> unwanted nods that needs to be monitor all the time and batter
> control over traffic with IPtables firewall. i am using this line to
> NAT very specific ports to allow certain facilities like Email ,
> Remote desktop and stuff. and this is working for me.
>
> iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE
>
> now i am stuck on allowing the ping traffic. please help
>
>

Instead of specifying the TCP protocol, you need to specify the ICMP
protocol, and just the specific types of ICMP that you want (only TCP
and UDP have 'ports'). But the right way to do it is to NAT everything
going out with one rule, and then use iptables rules with other targets
to allow only what you want to go in or out. You can build more complex
and versatile rulesets that way. More importantly, they are easier to
read and modify later.

By the way, squid is a proxy only for the http protocol, i.e. web
pages. It does not process anything else, and is just one application
on your machine.

This isn't a Debian-specific enquiry, and you might get more replies in
a more general Linux and/or firewall newsgroup, or a forum for any
specific management software you may be using.

--
Joe


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120414094605.0bb59b9b@jretrading.com">http://lists.debian.org/20120414094605.0bb59b9b@jretrading.com
 
Old 04-14-2012, 10:40 AM
Pascal Hambourg
 
Default Squid as default gateway in proxy mode.

Hello,

> Muhammad Yousuf Khan <sirtcp@gmail.com> wrote:
>
>> now the problem part is i want to ping outside host to verify the
>> connectivity of internet for that all the time i have to open the SSH
>> the console and ping. but what i want is, i should also ping it from
>> host computers as well. however i don't want to NAT all the traffic
>> coming from inside and going outside. rather what i want is just to
>> NAT only ICMP Echo Rep and Req so that i can at least ping outside
>> host

As Joe wrote, this is not the right way to do things. See below.

> with out SSH the Squid console. which is very bothering.
>> My network diagram is very simple
>>
>> <Squid
>> Box>--------eth0(192.18.30.2)----------------------<192.168.30.1-ISP
>> Router>
>> I
>> I
>> eth1(192.168.1.1)
>> I
>> I
>> (local network 192.168.1.0/24)
>>
>>
>> And why i am using Squid as a Gateway because i just want to minimize
>> unwanted nods that needs to be monitor all the time and batter
>> control over traffic with IPtables firewall. i am using this line to
>> NAT very specific ports to allow certain facilities like Email ,
>> Remote desktop and stuff. and this is working for me.
>>
>> iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE

This is not the right way to do things. NAT is not intended for
filtering. By not masquerading outgoing traffic, you just let packets go
out with their original source address instead of dropping them. You
just rely on the ISP router not knowing how to handle the original
source address. This is wrong.

The right way is to only accept specific through your router, and then
NAT all traffic that was allowed to go out. Ok, it is a bit more
complicated.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t filter -P FORWARD DROP
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -t filter -A FORWARD -o eth0 -m state --state NEW
-p tcp --dport 110 -j ACCEPT

>> now i am stuck on allowing the ping traffic. please help

iptables -t filter -A FORWARD -0 eth0 -p icmp --icmp-type echo-request
-j ACCEPT

Joe wrote :
> only TCP and UDP have 'ports'

No. ICMP does not have ports, but other protocols such as SCTP and DCCP
have ports too.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F89541A.8080501@plouf.fr.eu.org">http://lists.debian.org/4F89541A.8080501@plouf.fr.eu.org
 
Old 04-14-2012, 12:29 PM
Joe
 
Default Squid as default gateway in proxy mode.

On Sat, 14 Apr 2012 12:40:26 +0200
Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:

>
> Joe wrote :
> > only TCP and UDP have 'ports'
>
> No. ICMP does not have ports, but other protocols such as SCTP and
> DCCP have ports too.
>
>

Yes, I do realise there are others, but they are not among the
half-dozen or so which are likely to be encountered by someone new to
iptables, only two of which use the concept of ports. It is easy for
someone accustomed to getting Windows games working through routers to
assume that all IP protocols use ports.

--
Joe


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120414132904.24131ccc@jretrading.com">http://lists.debian.org/20120414132904.24131ccc@jretrading.com
 

Thread Tools




All times are GMT. The time now is 04:14 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org