PDA

Click to See Complete Forum and Search --> : Iptables possible forwarding loop

b0xeruss
08-09-2004, 12:47 PM
I have the following setup:

BOX(192.168.0.1) = Firewall/router
BOX(192.168.0.2) = mail server/Proxy

My firewall that im testing this with looks like:

echo 1 > /proc/sys/net/ipv4/ip_forward

EXT=eth0
INT=eth1

iptables -F
iptables -t nat -F
iptables -X

echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward



iptables -P INPUT DROP

iptables -A FORWARD -s 192.168.0.2/24 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -s 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -d ! 192.168.0.0/16 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:3128
iptables -t nat -A POSTROUTING -o $INT -s 192.168.0.0/24 -d 192.168.0.2 -j SNAT --to 192.168.0.1



iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INT -j ACCEPT
iptables -A INPUT -i $INT -p tcp --dport 22 -j ACCEPT

iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INT -j ACCEPT

iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#iptables -t nat -A PREROUTING -i $EXT -p tcp --dport 80 -j DNAT --to 192.168.0.3:3128



iptables -A INPUT -i $EXT -p icmp --icmp-type "echo-reply" -j ACCEPT
iptables -A INPUT -i $EXT -p icmp --icmp-type "destination-unreachable" -j ACCEPT
iptables -A INPUT -i $EXT -p icmp --icmp-type "time-exceeded" -j ACCEPT
iptables -A INPUT -i $EXT -p icmp -j DROP
iptables -A OUTPUT -o $EXT -p icmp --icmp-type ! "echo-request" -j DROP
iptables -A FORWARD -i $EXT -p icmp -j DROP









/etc/init.d/iptables start
/etc/init.d/iptables save
/etc/init.d/iptables stop
/etc/init.d/iptables start

echo ""
echo ""
echo "Firewall Loaded with no errors"



I keep getting an error when trying to access any webpage:
The requested URL could not be retrieved

--------------------------------------------------------------------------------

While trying to retrieve the URL: http://www.gentoo.org/

The following error was encountered:

Unable to determine IP address from host name for www.gentoo.org
The dnsserver returned:

Name Error: The domain name does not exist.
This means that:

The cache was not able to resolve the hostname presented in the URL.
Check if the address is correct.
Your cache administrator is webmaster.





The access.log file has this:
1091969800.939 4 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091969801.986 51 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091970048.740 4 192.168.0.1 TCP_MISS/503 1371 GET http://www.clamav.net/ - NONE/- text/html
1091970596.945 2 192.168.0.1 TCP_MISS/503 1371 GET http://www.clamav.net/ - NONE/- text/html
1091970598.007 2 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091970986.384 4 192.168.0.1 TCP_MISS/503 1351 GET http://google.ca/ - NONE/- text/html
1091971008.600 3 192.168.0.1 TCP_MISS/503 1351 GET http://google.ca/ - NONE/- text/html
1091971535.220 3 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091971604.374 5 192.168.0.1 TCP_MISS/503 1363 GET http://www.google.ca/ - NONE/- text/html
1091971618.229 3 192.168.0.1 TCP_MISS/503 1366 GET http://www.google.com/ - NONE/- text/html
1091972311.623 3 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091973412.442 3 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091973450.587 1 192.168.0.1 TCP_MISS/503 1377 GET http://www.pastebin.com/ - NONE/- text/html
1091973660.046 5 192.168.0.1 TCP_MISS/503 1402 POST http://forums.gentoo.org/search.php? - NONE/- text/html
1091975549.107 3 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091975815.745 2 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091975863.113 2 192.168.0.1 TCP_MISS/503 1371 GET http://www.gentoo.org/ - NONE/- text/html
1091976818.551 3 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091976821.416 873 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091976840.227 323 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091976841.312 77 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091976849.586 2 192.168.0.1 TCP_MISS/503 1371 GET http://www.gentoo.org/ - NONE/- text/html
1091976851.523 979 192.168.0.1 TCP_MISS/503 1371 GET http://www.gentoo.org/ - NONE/- text/html
1091976985.458 4 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091976987.837 382 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091976991.964 2 192.168.0.1 TCP_MISS/503 1377 GET http://www.slashdot.org/ - NONE/- text/html
1091977233.993 3 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091977254.608 3 192.168.0.1 TCP_MISS/503 1363 GET http://www.google.ca/ - NONE/- text/html
1091977341.940 3 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html
1091977605.646 4 192.168.0.1 TCP_MISS/503 1368 GET http://www.google.ca/ - NONE/- text/html




Cache.log

2004/08/08 05:59:45| Starting Squid Cache version 2.5.STABLE6 for i586-pc-linux-gnu...
2004/08/08 05:59:45| Process ID 1821
2004/08/08 05:59:45| With 1024 file descriptors available
2004/08/08 05:59:45| Performing DNS Tests...
2004/08/08 05:59:45| Successful DNS name lookup tests...
2004/08/08 05:59:45| DNS Socket created at 0.0.0.0, port 1032, FD 4
2004/08/08 05:59:45| Adding nameserver 192.168.0.1 from /etc/resolv.conf
2004/08/08 05:59:45| Unlinkd pipe opened on FD 9
2004/08/08 05:59:45| Swap maxSize 102400 KB, estimated 7876 objects
2004/08/08 05:59:45| Target number of buckets: 393
2004/08/08 05:59:45| Using 8192 Store buckets
2004/08/08 05:59:45| Max Mem size: 8192 KB
2004/08/08 05:59:45| Max Swap size: 102400 KB
2004/08/08 05:59:45| Rebuilding storage in /usr/local/squid/var/cache (CLEAN)
2004/08/08 05:59:45| Using Least Load store dir selection
2004/08/08 05:59:45| Current Directory is /usr/local/squid
2004/08/08 05:59:45| Loaded Icons.
2004/08/08 05:59:45| Accepting HTTP connections at 0.0.0.0, port 3128, FD 10.
2004/08/08 05:59:45| Accepting ICP messages at 0.0.0.0, port 3130, FD 11.
2004/08/08 05:59:45| WCCP Disabled.
2004/08/08 05:59:45| Ready to serve requests.
2004/08/08 05:59:46| Done scanning /usr/local/squid/var/cache swaplog (0 entries)
2004/08/08 05:59:46| Finished rebuilding storage from disk.
2004/08/08 05:59:46| 0 Entries scanned
2004/08/08 05:59:46| 0 Invalid entries.
2004/08/08 05:59:46| 0 With invalid flags.
2004/08/08 05:59:46| 0 Objects loaded.
2004/08/08 05:59:46| 0 Objects expired.
2004/08/08 05:59:46| 0 Objects cancelled.
2004/08/08 05:59:46| 0 Duplicate URLs purged.
2004/08/08 05:59:46| 0 Swapfile clashes avoided.
2004/08/08 05:59:46| Took 0.6 seconds ( 0.0 objects/sec).
2004/08/08 05:59:46| Beginning Validation Procedure
2004/08/08 05:59:46| Completed Validation Procedure
2004/08/08 05:59:46| Validated 0 Entries
2004/08/08 05:59:46| store_swap_size = 0k
2004/08/08 05:59:46| storeLateRelease: released 0 objects




Any ideas as to what im doing wrong? If you think my proxy code could be wrong please post what you think it should be and I will test it.

Proxy IPtables code:
iptables -A FORWARD -s 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -d ! 192.168.0.0/16 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:3128
iptables -t nat -A POSTROUTING -o $INT -s 192.168.0.0/24 -d 192.168.0.2 -j SNAT --to 192.168.0.1

Note:
- I can access the internet from BOX2 (Proxy) through Lynx. The computers that I cant access the internet from is the clients on the DHCP network ips 192.168.10-50.


Thank you.
b0xeruss
08-09-2004, 01:18 PM
Im a fool. Probably should have checked here first.
http://tldp.org/HOWTO/TransparentProxy.html#toc5
b0xeruss
08-09-2004, 08:31 PM
I used the code in the example at tldp but my proxy still isnt getting requests from any clients to access the net through the proxy... they just go straight through without stoping by the proxy.


iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT



Whats wrong with this.

My iptables machine eth0 is external internet card and eth1 is internal lan card.

Also, squid works if I manualy tell the web browser to use the squid-box as proxy.