127.0.0.1 is allowed
I do have "Allow 127.0.0.1" if you look at my first post. And I can access the website hosted by my gateway machine. I feel like maybe my iptable doesn't forward my http request outside the LAN. I'm a novice on iptables. In tinyproxy.log, I could see: CONNECT ... Connect (file descriptor 7): [192.168.1.1] CONNECT ... Request (file descriptor 7): GET http://google.com/HTTP/1.1 INFO ... No proxy for google.come ERROR ... opensock: connect() error "Connection refused". INFO ... Not sending client headers to remote machine This is what's in tinyproxy.log when I tried to browse the website hosted on 192.168.1.1: CONNECT ... Connect (file descriptor 7): [192.168.1.1] CONNECT ... Request (file descriptor 7): GET http://my.dyndns.org/HTTP/1.1 INFO ... No proxy for my.dyndns.org CONNECT ... Established connection to host "my.dyndns.org" using file descriptor 8. INFO ... Closed connection between local client and remote client I feel it must have something to do with the iptable set in my firewall.sh. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 127.0.0.1 is allowed
exactly what you plan to do ? mount a proxy to allow more computers to connect rigth ?? i think you should install squid and with iptables redirect all the internal ports to the port of your proxy and all should be ok i think . > > I do have "Allow 127.0.0.1" if you look at my first post. And I can access > the website hosted by my gateway machine. I feel like maybe my iptable > doesn't forward my http request outside the LAN. I'm a novice on iptables. > > In tinyproxy.log, I could see: > > CONNECT ... Connect (file descriptor 7): [192.168.1.1] > CONNECT ... Request (file descriptor 7): GET http://google.com/HTTP/1.1 > INFO ... No proxy for google.come > ERROR ... opensock: connect() error "Connection refused". > INFO ... Not sending client headers to remote machine > > This is what's in tinyproxy.log when I tried to browse the website hosted > on 192.168.1.1: > > CONNECT ... Connect (file descriptor 7): [192.168.1.1] > CONNECT ... Request (file descriptor 7): GET http://my.dyndns.org/HTTP/1.1 > INFO ... No proxy for my.dyndns.org > CONNECT ... Established connection to host "my.dyndns.org" using file > descriptor 8. > INFO ... Closed connection between local client and remote client > > I feel it must have something to do with the iptable set in my > firewall.sh. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > -- > Este mensaje ha sido analizado por MailScanner > en busca de virus y otros contenidos peligrosos, > y se considera que está limpio. > > -- DEBIANLuis A. Rondon Paz L I N U X .~.Admin intranet CNT The Choice /V\icq #132736035 of my/( )\ [EMAIL PROTECTED] Generation ^^-^^Santiago de cuba UONET Cuba phone(53)022-633011--702 - Si planificas para un año, siembra trigo, si planificas para diez años, planta un árbol, si planificas para toda la vida, edúcate - Lao Tsé -- Este mensaje ha sido analizado por MailScanner en busca de virus y otros contenidos peligrosos, y se considera que está limpio.
Re: 127.0.0.1 is allowed
On 2007-03-08 Carolyn Debian wrote: > I feel it must have something to do with the iptable set in my firewall.sh. Perhaps if you'd provide your iptables ruleset, someone would be able to tell you whether your feeling betrays you or not. Regards Ansgar Wiechers -- "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." --Bruce Schneier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 127.0.0.1 is allowed
My iptable ruleset is included in my very first post. I don't need squid because I use tinyproxy. Here is the error page I end up when trying to go to google.com in IE: The request you made failed. Here are the error variables: request GET http://google.com/ HTTP/1.1 cause Unable to connect clientip 127.0.0.1 clienthost localhost.localdomain version 1.6.3 package tinyproxy date Thu, 08 Mar 2007 17:31:31 GMT detail tinyproxy was unable to connect to the remote web server. url (unknown) I think it's either tinyproxy is not working right or the iptable rule has problem. I don't know how to debug tinyproxy and I have very very limited knowledge of iptable. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 127.0.0.1 is allowed
On 2007-03-08 Carolyn Debian wrote: > My iptable ruleset is included in my very first post. Nope. You wrote that you had attached it, but there wasn't anything attached. Regards Ansgar Wiechers -- "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." --Bruce Schneier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 127.0.0.1 is allowed
My iptable rules are not attached but included in the first post. Am I seeing a
different version than you? Anyway, here they are:
#!/bin/sh
INTIF="eth1"
INTNET="192.168.1.0/24"
INTIP="192.168.1.1/24"
EXTIF="ppp0"
EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e
's/.*://'`"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
UNIVERSE="0.0.0.0/0"
REMOTEIP="72.58.128.0/24"
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi
iptables -X
iptables -Z
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s
$UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
iptables -A INPUT -i $EXTIF -s $REMOTEIP -d $UNIVERSE -j ACCEPT
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
# Fix the problem of not being able to access some websites.
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -j drop-and-log-it
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 127.0.0.1 is allowed
On Thu, Mar 08, 2007 at 07:54:22PM +0100, Carolyn Debian wrote: > > INTIF="eth1" > INTNET="192.168.1.0/24" > INTIP="192.168.1.1/24" that looks wrong, should be 192.168.1.1/32 or just 192.168.1.1 > UNIVERSE="0.0.0.0/0" > REMOTEIP="72.58.128.0/24" same here (maybe) - is that the IP (range) of your provider's gw? isn't it a fixed IP? Anyway, your proxy config is missing from all msgs you posted (afaikt). -- paolo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 127.0.0.1 is allowed
On 2007-03-08 Carolyn Debian wrote:
> My iptable rules are not attached but included in the first post. Am I
> seeing a different version than you?
Looks like it.
> Anyway, here they are:
The script looks okay to me. I suggested some simplifications (see
below), but AFAICS the ruleset should work. Check the logs, though. If
your ruleset drops packets it shouldn't, they will show up there. And
maybe try accepting all outbound traffic on the external interface:
iptables -A OUTPUT -o $EXTIF -j ACCEPT
instead of accepting only traffic with source address $EXTIP.
What connections is tinyproxy actually trying to establish when you try
to load a page in your browser? Can you run a sniffer (e.g. tcpdump or
tshark) on the remote host? And could you post the config again, please?
Just like your firewall ruleset I didn't see it included in your first
mail.
> #!/bin/sh
>
> INTIF="eth1"
> INTNET="192.168.1.0/24"
> INTIP="192.168.1.1/24"
If you want this to be a host address you need /32 here.
> EXTIF="ppp0"
> EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed
> -e 's/.*://'`"
Just some cosmetics, but awk is all you need here:
EXTIP="`/sbin/ifconfig $EXTIF | awk '/inet/ {sub(".*:","",$2); print $2}'`"
> /sbin/depmod -a
> /sbin/modprobe ip_tables
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_conntrack_irc
> /sbin/modprobe iptable_nat
> /sbin/modprobe ip_nat_ftp
> /sbin/modprobe ip_nat_irc
>
> UNIVERSE="0.0.0.0/0"
> REMOTEIP="72.58.128.0/24"
Is that supposed to be a host or a network address? Since the last
octett is zero I'll assume that it's a network address. In that case
REMOTENET would be a more appropriate name for the variable. However,
AFAICS you need neither $UNIVERSE nor $REMOTEIP for your ruleset (see
below).
> iptables -P INPUT DROP
> iptables -F INPUT
> iptables -P OUTPUT DROP
> iptables -F OUTPUT
> iptables -P FORWARD DROP
> iptables -F FORWARD
> iptables -F -t nat
You can flush all chains at once:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -F
iptables -t nat -F
> if [ "`iptables -L | grep drop-and-log-it`" ]; then
> iptables -F drop-and-log-it
> fi
>
> iptables -X
No point in flushing a user-defined chain if you're going to delete it
anyway.
> iptables -Z
>
> iptables -N drop-and-log-it
> iptables -A drop-and-log-it -j LOG --log-level info
> iptables -A drop-and-log-it -j REJECT
>
> iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
> iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
> iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
> iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
As a general note: 0.0.0.0/0 is implicitly assumed when you leave out -s
or -d. Makes your rules more readable. Also I'd accept only NEW inbound
connections.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INTIF -s $INTNET -m state --state NEW -j ACCEPT
iptables -A INPUT -i $EXTIF -s $INTNET -j drop-and-log-it
iptables -A INPUT -i $EXTIF -d $EXTIP -m state --state NEW -j ACCEPT
> iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state
> ESTABLISHED,RELATED -j ACCEPT
You should accept ESTABLISHED and RELATED traffic on all interfaces, not
only on the external.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp
> -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
This rule is pointless, because you already accept all traffic to $EXTIP
on the external interface.
> iptables -A INPUT -i $EXTIF -s $REMOTEIP -d $UNIVERSE -j ACCEPT
What's this rule supposed to achieve? You're already accepting traffic
from the world on the external interface.
> iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
iptables -A INPUT -j drop-and-log-it
> iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
> iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
> iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
The OUTPUT chain handles traffic that originates from the host itself,
thus traffic with $EXTIP should not be going out on $INTIF.
> iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
> iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
> iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
This will suffice:
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
iptables -A OUTPUT -o $EXTIF -s $EXTIP -j ACCEPT
iptables -A OUTPUT -j drop-and-log-it
> # Fix the problem of not being able to access some websites.
> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu
> iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
Just accept all ESTABLISHED and RELATED traffic. Saves you trouble.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A
Re: 127.0.0.1 is allowed
Carolyn Debian wrote: I do have "Allow 127.0.0.1" if you look at my first post. And I can access the website hosted by my gateway machine. I feel like maybe my iptable doesn't forward my http request outside the LAN. I'm a novice on iptables. In tinyproxy.log, I could see: CONNECT ... Connect (file descriptor 7): [192.168.1.1] CONNECT ... Request (file descriptor 7): GET http://google.com/HTTP/1.1 INFO ... No proxy for google.come ERROR ... opensock: connect() error "Connection refused". INFO ... Not sending client headers to remote machine This is what's in tinyproxy.log when I tried to browse the website hosted on 192.168.1.1: CONNECT ... Connect (file descriptor 7): [192.168.1.1] CONNECT ... Request (file descriptor 7): GET http://my.dyndns.org/HTTP/1.1 INFO ... No proxy for my.dyndns.org CONNECT ... Established connection to host "my.dyndns.org" using file descriptor 8. INFO ... Closed connection between local client and remote client I feel it must have something to do with the iptable set in my firewall.sh. from the machine, try wget http://www.google.com/ and see if this works. if it does not, then the issue is with iptables or another firewall, or is a dns setup issue. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
