Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

[Walter H.]

Hello Eliezer,

it is just this:

# Generated by iptables-save v1.4.7 on Wed Jul 19 20:25:22 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -p icmp -j ACCEPT
-A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT
-A INPUT -i br0 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j 
ACCEPT
-A INPUT -i eth1 -p udp -m udp --sport 32769:65535 --dport 33434:33523 
-j ACCEPT

-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -i br0 -o eth1 -p udp -m udp --dport 3478 -j REJECT 
--reject-with icmp-port-unreachable
-A FORWARD -i br0 -o eth1 -p udp -m udp --dport 3544 -j REJECT 
--reject-with icmp-port-unreachable

-A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7
COMMIT
# Completed on Wed Jul 19 20:25:22 2017

Walter

On 19.07.2017 20:03, Eliezer Croitoru wrote:

Hey Walter,

Can you please paste the output of "iptables-save" for me?
It's easier for me to read plain iptables-save then iptables -Lnv or any other 
format.
Then I would be able to send you a file that you can just pull into 
iptables-restore which should work.

And just to clear out my doubts on the scenario:
Is the RST packets coming from the gateway(192.168.0.1) but for request from 
the local proxy(192.168.0.10).
To eliminate couple things, can you test the next rule on the GW:
Iptables -I INPUT -s 192.168.0.10 -j ACCEPT

And see if it changes anything at all?

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Walter H.
Sent: Tuesday, July 18, 2017 15:29
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Packets logged as blocked even Firewall (IPtables) 
accepts them ...

Hello,

my Router Box runs a CentOS 6, with the EPEL squid34 RPM package

this the iptables

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Allow multicast
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT

# Allow anything on the local link
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow anything out on LAN
-A OUTPUT -o br0 -j ACCEPT
# Allow established, related packets back in -A INPUT -i br0 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

# Enable DHCP for LAN
-A INPUT -i br0 -m udp -p udp --sport 67:68 --dport 67:68 -j ACCEPT

# Enable DNS-Cache for LAN
-A INPUT -i br0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A 
INPUT -i br0 -m udp -p udp --dport 53 -j ACCEPT

# Enable SSH from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Enable HTTP/HTTPS from LAN (some gui interface) -A INPUT -i br0 -m tcp -p tcp 
--dport 80 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m tcp -p tcp --dport 
443 -m state --state NEW -j ACCEPT

# Enable Squid-Proxy from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT

# Block STUN
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3478 -j REJECT # Block TEREDO 
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3544 -j REJECT

# Allow Forwarding to WAN interface
-A FORWARD -i br0 -o eth1 -j ACCEPT
# Allow established, related packets back through -A FORWARD -i eth1 -o br0 -m 
state --state ESTABLISHED,RELATED -j ACCEPT

# Only the lan is allowed to ping me without restriction -A INPUT -i br0 -p 
icmp -j ACCEPT # Else only pings with restricted icmp are allowed -A INPUT -i 
eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT

# Enable TRACEroute to me from LAN
-A INPUT -i br0 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT # 
Enable TRACEroute to me from internet -A INPUT -i eth1 -p udp --sport 
32769:65535 --dport 33434:33523 -j ACCEPT

# Log all other
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7 -A FORWARD -j LOG  --log-prefix 
"IP[FWD]: " --log-level 7 -A OUTPUT -j LOG  --log-prefix "IP[OUT]: " --log-level 7

COMMIT


and these are logged entries:
(only partial, as they are many)


[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

[Eliezer Croitoru]

Hey Walter,

Can you please paste the output of "iptables-save" for me?
It's easier for me to read plain iptables-save then iptables -Lnv or any other 
format.
Then I would be able to send you a file that you can just pull into 
iptables-restore which should work.

And just to clear out my doubts on the scenario:
Is the RST packets coming from the gateway(192.168.0.1) but for request from 
the local proxy(192.168.0.10).
To eliminate couple things, can you test the next rule on the GW:
Iptables -I INPUT -s 192.168.0.10 -j ACCEPT

And see if it changes anything at all?

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Walter H.
Sent: Tuesday, July 18, 2017 15:29
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Packets logged as blocked even Firewall (IPtables) 
accepts them ...

Hello,

my Router Box runs a CentOS 6, with the EPEL squid34 RPM package

this the iptables

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Allow multicast
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT

# Allow anything on the local link
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow anything out on LAN
-A OUTPUT -o br0 -j ACCEPT
# Allow established, related packets back in -A INPUT -i br0 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

# Enable DHCP for LAN
-A INPUT -i br0 -m udp -p udp --sport 67:68 --dport 67:68 -j ACCEPT

# Enable DNS-Cache for LAN
-A INPUT -i br0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A 
INPUT -i br0 -m udp -p udp --dport 53 -j ACCEPT

# Enable SSH from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Enable HTTP/HTTPS from LAN (some gui interface) -A INPUT -i br0 -m tcp -p tcp 
--dport 80 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m tcp -p tcp --dport 
443 -m state --state NEW -j ACCEPT

# Enable Squid-Proxy from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT

# Block STUN
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3478 -j REJECT # Block TEREDO 
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3544 -j REJECT

# Allow Forwarding to WAN interface
-A FORWARD -i br0 -o eth1 -j ACCEPT
# Allow established, related packets back through -A FORWARD -i eth1 -o br0 -m 
state --state ESTABLISHED,RELATED -j ACCEPT

# Only the lan is allowed to ping me without restriction -A INPUT -i br0 -p 
icmp -j ACCEPT # Else only pings with restricted icmp are allowed -A INPUT -i 
eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT

# Enable TRACEroute to me from LAN
-A INPUT -i br0 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT # 
Enable TRACEroute to me from internet -A INPUT -i eth1 -p udp --sport 
32769:65535 --dport 33434:33523 -j ACCEPT

# Log all other
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7 -A FORWARD -j LOG  
--log-prefix "IP[FWD]: " --log-level 7 -A OUTPUT -j LOG  --log-prefix "IP[OUT]: 
" --log-level 7

COMMIT


and these are logged entries:
(only partial, as they are many)


[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [17-Jul-2017; 19:49:13.590236] 
IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0 [18-Jul-2017; 13:02:19.162684] 
IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=28792 DF PROTO=TCP
SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK FIN URGP=0 [18-Jul-2017; 
13:02:19.593099] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
DST=192.168.0.1 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=28797 DF PROTO=TCP
SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK PSH FIN URGP=0 

192.168.0.1  is the router itself
192.168.0.10  is a VM running another squid, using the router box as parent 
proxy
192.168.0.2   is my windows box

why are these packets blocked?

by the way the router box has of course more interfaces a br0 (LAN) and eth1 
(WAN), where can I ensure that squid only listens to the LAN IP?


acl localnet src 192.168.0.0/24

acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 1025-65535# unregistered ports
acl CONNECT method CONNECT

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports http_access deny CONNECT 
!SSL_ports

http_access deny to_localhost

http_access allow localnet
http_access

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

[Antony Stone]

On Wednesday 19 July 2017 at 10:40:36, Walter H. wrote:

> On Wed, July 19, 2017 11:31, Antony Stone wrote:
> > On Wednesday 19 July 2017 at 10:16:30, Walter H. wrote:
> >> I added these rules, and will see which packets are caught
> >> 
> >> -A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]:
> >> " --log-level 7
> >> -A FORWARD -m state --state INVALID -j LOG --log-prefix
> >> "IP[FWD(invalid)]: " --log-level 7
> >> -A OUTPUT -m state --state INVALID -j LOG --log-prefix
> >> "IP[OUT(invalid)]: " --log-level 7
> >> 
> >> and not by these after:
> >> 
> >> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
> >> -A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
> >> -A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7
> > 
> > Note that any packets caught by the first rules will *also* be caught by
> > the second rules (since there is no DROP in between, and the second rule
> > does not exclude INVALID),
> 
> how would I exclude INVALID in the second rules?

If you really want to:

-A INPUT -m state ! --state INVALID -j LOG  --log-prefix

Depending on how you enter this rule, you may need to shell-escape the ! so 
that it doesn't get interpreted by bash etc.

The alternative (IMHO uglier) way of doing it would be:

-A INPUT -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-prefix


Quoting from the iptables man page:

"   state
   This module, when combined with connection tracking, allows access to 
the connection tracking state for this packet.

   [!] --state state
  Where state is a comma separated list of the connection states 
to match.  Possible states are INVALID meaning that the packet could not be 
identified for some reason which includes running out of memory and ICMP errors 
which don't correspond to any known connection, ESTABLISHED meaning that the 
packet is associated  with  a  connection which  has  seen packets in both 
directions, NEW meaning that the packet has started a new connection, or 
otherwise associated with a connection which has not seen packets in both 
directions, and RELATED meaning that the packet is starting a new connection, 
but is associated with an existing connection, such as an FTP data transfer, 
or an ICMP error.  UNTRACKED meaning that the packet is not tracked at all, 
which happens if you use the NOTRACK target in raw table."


Antony.

-- 
This email was created using 100% recycled electrons.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

[Walter H.]

On Wed, July 19, 2017 11:31, Antony Stone wrote:
> On Wednesday 19 July 2017 at 10:16:30, Walter H. wrote:
>
>> I added these rules, and will see which packets are caught
>>
>> -A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]:
>> "
>> --log-level 7
>> -A FORWARD -m state --state INVALID -j LOG --log-prefix
>> "IP[FWD(invalid)]:
>> " --log-level 7
>> -A OUTPUT -m state --state INVALID -j LOG --log-prefix
>> "IP[OUT(invalid)]:
>> " --log-level 7
>>
>> and not by these after:
>>
>> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
>> -A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
>> -A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7
>
> Note that any packets caught by the first rules will *also* be caught by
> the
> second rules (since there is no DROP in between, and the second rule does
> not
> exclude INVALID),

how would I exclude INVALID in the second rules?


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

[Antony Stone]

On Wednesday 19 July 2017 at 10:16:30, Walter H. wrote:

> I added these rules, and will see which packets are caught
> 
> -A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]: "
> --log-level 7
> -A FORWARD -m state --state INVALID -j LOG --log-prefix "IP[FWD(invalid)]:
> " --log-level 7
> -A OUTPUT -m state --state INVALID -j LOG --log-prefix "IP[OUT(invalid)]:
> " --log-level 7
> 
> and not by these after:
> 
> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
> -A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
> -A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7

Note that any packets caught by the first rules will *also* be caught by the 
second rules (since there is no DROP in between, and the second rule does not 
exclude INVALID), so don't be surprised when you see log entries from both 
rules for the same packet.


Antony.

-- 
Python is executable pseudocode.
Perl is executable line noise.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

[Walter H.]

On Wed, July 19, 2017 03:21, Amos Jeffries wrote:
> On 19/07/17 01:37, Walter H. wrote:
>> On Tue, July 18, 2017 15:28, Matus UHLAR - fantomas wrote:
>>> On 18.07.17 14:29, Walter H. wrote:
 -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>
 -A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j
 ACCEPT
>>>
 -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
>>>
 [17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
 MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
 DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
 SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
>>>
>>> it's a RST packet, apparently for connection that was already closed
>>> and
>>> thus is not ESTABLISHED,RELATED nor NEW
>>>
>>> logging state INVALID could explain
>>
>> how would I do this?
>
>
> Add this line in your iptables config above the generic log ones:
>
>   -A INPUT -i br0 -m state --state INVALID -j LOG --log-prefix "IP[IN]
> INVALID]: " --log-level 7

I added these rules, and will see which packets are caught

-A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]: "
--log-level 7
-A FORWARD -m state --state INVALID -j LOG --log-prefix "IP[FWD(invalid)]:
" --log-level 7
-A OUTPUT -m state --state INVALID -j LOG --log-prefix "IP[OUT(invalid)]:
" --log-level 7

and not by these after:

-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

[Amos Jeffries]

On 19/07/17 01:37, Walter H. wrote:

On Tue, July 18, 2017 15:28, Matus UHLAR - fantomas wrote:

On 18.07.17 14:29, Walter H. wrote:

-A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT



-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT



-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7



[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0


it's a RST packet, apparently for connection that was already closed and
thus is not ESTABLISHED,RELATED nor NEW

logging state INVALID could explain


how would I do this?



Add this line in your iptables config above the generic log ones:

 -A INPUT -i br0 -m state --state INVALID -j LOG --log-prefix "IP[IN] 
INVALID]: " --log-level 7


(If you are newbie with iptables or not having a major 'Doh!' moment 
reading the above config line, then I suggest you find some tutorials 
and read up about using netfilter / iptables some starters can be found 
at . You are likely to 
find out a lot of little tips and tricks that are useful way beyond this 
specific question and answers).



PS. This thread seems to have nothing to do with Squid. 
 would be a more 
appropriate place to seek this type of help in future.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

[Walter H.]

On Tue, July 18, 2017 15:28, Matus UHLAR - fantomas wrote:
> On 18.07.17 14:29, Walter H. wrote:
>>-A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>>-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT
>
>>-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
>
>>[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
>>MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
>>DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
>>SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
>
> it's a RST packet, apparently for connection that was already closed and
> thus is not ESTABLISHED,RELATED nor NEW
>
> logging state INVALID could explain

how would I do this?

Thanks,
Walter


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

[Matus UHLAR - fantomas]

On 18.07.17 14:29, Walter H. wrote:

-A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT



-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT



-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7



[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0


it's a RST packet, apparently for connection that was already closed and
thus is not ESTABLISHED,RELATED nor NEW

logging state INVALID could explain


by the way the router box has of course more interfaces
a br0 (LAN) and eth1 (WAN), where can I ensure that squid only listens to
the LAN IP?


here:

# Squid normally listens to port 3128
http_port 3128


see http://www.squid-cache.org/Doc/config/http_port/

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

[Antony Stone]

On Tuesday 18 July 2017 at 13:29:04, Walter H. wrote:

> Hello,
> 
> my Router Box runs a CentOS 6, with the EPEL squid34 RPM package
> 
> this the iptables
> 

Does the output of "iptables -L -nvx" match the ruleset you've quoted here?

I'm just wondering whether the rules have got loaded properly.


Antony.

-- 
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

[Walter H.]

Hello,

my Router Box runs a CentOS 6, with the EPEL squid34 RPM package

this the iptables

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Allow multicast
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT

# Allow anything on the local link
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow anything out on LAN
-A OUTPUT -o br0 -j ACCEPT
# Allow established, related packets back in
-A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable DHCP for LAN
-A INPUT -i br0 -m udp -p udp --sport 67:68 --dport 67:68 -j ACCEPT

# Enable DNS-Cache for LAN
-A INPUT -i br0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m udp -p udp --dport 53 -j ACCEPT

# Enable SSH from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Enable HTTP/HTTPS from LAN (some gui interface)
-A INPUT -i br0 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Enable Squid-Proxy from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT

# Block STUN
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3478 -j REJECT
# Block TEREDO
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3544 -j REJECT

# Allow Forwarding to WAN interface
-A FORWARD -i br0 -o eth1 -j ACCEPT
# Allow established, related packets back through
-A FORWARD -i eth1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Only the lan is allowed to ping me without restriction
-A INPUT -i br0 -p icmp -j ACCEPT
# Else only pings with restricted icmp are allowed
-A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT

# Enable TRACEroute to me from LAN
-A INPUT -i br0 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
# Enable TRACEroute to me from internet
-A INPUT -i eth1 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT

# Log all other
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -j LOG  --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -j LOG  --log-prefix "IP[OUT]: " --log-level 7

COMMIT


and these are logged entries:
(only partial, as they are many)


[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
[17-Jul-2017; 19:49:13.590236] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
[18-Jul-2017; 13:02:19.162684] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=28792 DF PROTO=TCP
SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK FIN URGP=0
[18-Jul-2017; 13:02:19.593099] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
DST=192.168.0.1 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=28797 DF PROTO=TCP
SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK PSH FIN URGP=0


192.168.0.1  is the router itself
192.168.0.10  is a VM running another squid, using the router box as
parent proxy
192.168.0.2   is my windows box

why are these packets blocked?

by the way the router box has of course more interfaces
a br0 (LAN) and eth1 (WAN), where can I ensure that squid only listens to
the LAN IP?


acl localnet src 192.168.0.0/24

acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 1025-65535# unregistered ports
acl CONNECT method CONNECT

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

http_access deny to_localhost

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# and finally allow by default
http_reply_access allow all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 16400 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

acl crl-mime rep_mime_type application/x-pkcs7-crl
no_cache deny crl-mime

icon_directory /usr/share/squid/icons
error_directory /etc/squid/errors

logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined

refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern .020%4320


Thanks,
Walter

___
squid-users mailing list