subject:"RE\: \[squid\-users\] Squid and iptables \- need help"

RE: [squid-users] Squid and iptables - need help

2006-02-06 Thread Chris Robertson

Hi...

 -Original Message-
 From: Gregori Parker [mailto:[EMAIL PROTECTED]
 Sent: Friday, February 03, 2006 10:25 AM
 To: squid-users@squid-cache.org
 Subject: [squid-users] Squid and iptables - need help
 
 
 I have just deployed a cluster of squid caching servers in 
 reverse proxy
 mode, and am having trouble with iptables.  When iptables is 
 turned on,
 I can hit the caching servers, but squid times out trying to pull from
 the origin servers (in our other datacenters).
 
 I'm thinking that if I add outgoing rules for our other datacenters,
 everything should be fine, but they are now in production and I cant
 simply test at will...I'm planning on adding these lines, can anyone
 tell me if this will fix my timeout problem when squid tries to pull
 from the origin servers?  I'm green on iptables configuration, so any
 advice in general is welcome!  Sorry for the long email, and 
 thank you!
 
 Lines I plan to add:
 
 # Allow anything *to* our various datacenters
 $IPTABLES -A OUTPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT
 $IPTABLES -A OUTPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT
 $IPTABLES -A OUTPUT -d XX.XX.XX.X/26 -p all -j ACCEPT
 

Replace. Don't add...

 
 Or maybe I can just add this instead:
 
 $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 

This would be the same thing as $IPTABLES --policy OUTPUT ALLOW.

 
 Here's the current iptables script:
 --
 --
 -
 #!/bin/sh
 
 LAN=eth1
 INTERNET=eth0
 IPTABLES=/sbin/iptables
 
 # Drop ICMP echo-request messages sent to broadcast or multicast
 addresses
 echo 1  /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 
 # Drop source routed packets
 echo 0  /proc/sys/net/ipv4/conf/all/accept_source_route
 
 # Enable TCP SYN cookie protection from SYN floods
 echo 1  /proc/sys/net/ipv4/tcp_syncookies
 
 # Don't accept ICMP redirect messages
 echo 0  /proc/sys/net/ipv4/conf/all/accept_redirects
 
 # Don't send ICMP redirect messages
 echo 0  /proc/sys/net/ipv4/conf/all/send_redirects
 
 # Enable source address spoofing protection
 echo 1  /proc/sys/net/ipv4/conf/all/rp_filter
 
 # Log packets with impossible source addresses
 echo 1  /proc/sys/net/ipv4/conf/all/log_martians
 
 # Flush all chains
 $IPTABLES --flush
 
 # Allow unlimited traffic on the loopback interface
 $IPTABLES -A INPUT -i lo -j ACCEPT
 $IPTABLES -A OUTPUT -o lo -j ACCEPT
 
 # Set default policies
 $IPTABLES --policy INPUT DROP
 $IPTABLES --policy OUTPUT DROP
 $IPTABLES --policy FORWARD DROP
 
 # Previously initiated and accepted exchanges bypass rule checking
 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 

Change these lines...

 # Allow anything from our various datacenters
 $IPTABLES -A INPUT -s XX.XX.XXX.XXX/26 -p all -j ACCEPT
 $IPTABLES -A INPUT -s XX.XX1.XXX.X/26 -p all -j ACCEPT
 $IPTABLES -A INPUT -s XX.XX.XX.X/26 -p all -j ACCEPT
 

...to...

# Allow anything from our various datacenters
$IPTABLES -A OUPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT
$IPTABLES -A OUPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT
$IPTABLES -A OUPUT -d XX.XX.XXX.X/26 -p all -j ACCEPT

... and Squid will be able to query your datacenters.  Responses will be 
allowed by the --state ESTABLISHED,RELATED rule.  It would probably be a good 
idea to make this rule a bit more stringent (only allow TCP on port 80, or 
what-have-you).  But it's a good start.

 # Allow incoming port 22 (ssh) connections on external interface
 $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 
 -m state \
 --state NEW -j ACCEPT
 

I'd REALLY strongly recommend you limit which hosts can connect to port 22.  
There are no shortage of SSH scanners in the wild.

 # Allow incoming port 4827 (squid-htcp) connections on external
 interface
 $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 
 4827 -m state
 \
 --state NEW -j ACCEPT
 
 # Allow incoming port 80 (http) connections on external interface
 $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80 
 -m state \
 --state NEW -j ACCEPT
 
 # Allow ICMP ECHO REQUESTS
 $IPTABLES -A INPUT -i $INTERNET -p icmp --icmp-type echo-request -j
 ACCEPT
 $IPTABLES -A INPUT -p icmp -j ACCEPT
 $IPTABLES -A OUTPUT -p icmp -j ACCEPT
 
 
 # Allow DNS resolution
 $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 
 -m state \
 --state NEW -j ACCEPT
 $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 
 -m state \
 --state NEW -j ACCEPT
 
 # Allow ntp synchronization
 $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 
 123 -m state
 \
 --state NEW -j ACCEPT
 
 # allow anything on the trusted interface
 $IPTABLES -A INPUT -i $LAN -p all -j ACCEPT
 $IPTABLES -A OUTPUT -o $LAN -p all -j ACCEPT
 
 # Have these rules take effect when iptables is started
 /sbin/service iptables save
 
 --
 
 

Chris

RE: [squid-users] Squid and iptables - need help

2006-02-06 Thread Gregori Parker

Thanks Chris, I got rid of a lot of redundancy and replaced general
rules much more specific ones (e.g. SSH et al have source/destination ip
space constraints)...everything seems to be working fine now!


-Original Message-
From: Chris Robertson [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 06, 2006 10:59 AM
To: squid-users@squid-cache.org
Subject: RE: [squid-users] Squid and iptables - need help

Hi...

 -Original Message-
 From: Gregori Parker [mailto:[EMAIL PROTECTED]
 Sent: Friday, February 03, 2006 10:25 AM
 To: squid-users@squid-cache.org
 Subject: [squid-users] Squid and iptables - need help
 
 
 I have just deployed a cluster of squid caching servers in 
 reverse proxy
 mode, and am having trouble with iptables.  When iptables is 
 turned on,
 I can hit the caching servers, but squid times out trying to pull from
 the origin servers (in our other datacenters).
 
 I'm thinking that if I add outgoing rules for our other datacenters,
 everything should be fine, but they are now in production and I cant
 simply test at will...I'm planning on adding these lines, can anyone
 tell me if this will fix my timeout problem when squid tries to pull
 from the origin servers?  I'm green on iptables configuration, so any
 advice in general is welcome!  Sorry for the long email, and 
 thank you!
 
 Lines I plan to add:
 
 # Allow anything *to* our various datacenters
 $IPTABLES -A OUTPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT
 $IPTABLES -A OUTPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT
 $IPTABLES -A OUTPUT -d XX.XX.XX.X/26 -p all -j ACCEPT
 

Replace. Don't add...

 
 Or maybe I can just add this instead:
 
 $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 

This would be the same thing as $IPTABLES --policy OUTPUT ALLOW.

 
 Here's the current iptables script:
 --
 --
 -
 #!/bin/sh
 
 LAN=eth1
 INTERNET=eth0
 IPTABLES=/sbin/iptables
 
 # Drop ICMP echo-request messages sent to broadcast or multicast
 addresses
 echo 1  /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 
 # Drop source routed packets
 echo 0  /proc/sys/net/ipv4/conf/all/accept_source_route
 
 # Enable TCP SYN cookie protection from SYN floods
 echo 1  /proc/sys/net/ipv4/tcp_syncookies
 
 # Don't accept ICMP redirect messages
 echo 0  /proc/sys/net/ipv4/conf/all/accept_redirects
 
 # Don't send ICMP redirect messages
 echo 0  /proc/sys/net/ipv4/conf/all/send_redirects
 
 # Enable source address spoofing protection
 echo 1  /proc/sys/net/ipv4/conf/all/rp_filter
 
 # Log packets with impossible source addresses
 echo 1  /proc/sys/net/ipv4/conf/all/log_martians
 
 # Flush all chains
 $IPTABLES --flush
 
 # Allow unlimited traffic on the loopback interface
 $IPTABLES -A INPUT -i lo -j ACCEPT
 $IPTABLES -A OUTPUT -o lo -j ACCEPT
 
 # Set default policies
 $IPTABLES --policy INPUT DROP
 $IPTABLES --policy OUTPUT DROP
 $IPTABLES --policy FORWARD DROP
 
 # Previously initiated and accepted exchanges bypass rule checking
 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 

Change these lines...

 # Allow anything from our various datacenters
 $IPTABLES -A INPUT -s XX.XX.XXX.XXX/26 -p all -j ACCEPT
 $IPTABLES -A INPUT -s XX.XX1.XXX.X/26 -p all -j ACCEPT
 $IPTABLES -A INPUT -s XX.XX.XX.X/26 -p all -j ACCEPT
 

...to...

# Allow anything from our various datacenters
$IPTABLES -A OUPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT
$IPTABLES -A OUPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT
$IPTABLES -A OUPUT -d XX.XX.XXX.X/26 -p all -j ACCEPT

... and Squid will be able to query your datacenters.  Responses will be
allowed by the --state ESTABLISHED,RELATED rule.  It would probably be
a good idea to make this rule a bit more stringent (only allow TCP on
port 80, or what-have-you).  But it's a good start.

 # Allow incoming port 22 (ssh) connections on external interface
 $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 
 -m state \
 --state NEW -j ACCEPT
 

I'd REALLY strongly recommend you limit which hosts can connect to port
22.  There are no shortage of SSH scanners in the wild.

 # Allow incoming port 4827 (squid-htcp) connections on external
 interface
 $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 
 4827 -m state
 \
 --state NEW -j ACCEPT
 
 # Allow incoming port 80 (http) connections on external interface
 $IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80 
 -m state \
 --state NEW -j ACCEPT
 
 # Allow ICMP ECHO REQUESTS
 $IPTABLES -A INPUT -i $INTERNET -p icmp --icmp-type echo-request -j
 ACCEPT
 $IPTABLES -A INPUT -p icmp -j ACCEPT
 $IPTABLES -A OUTPUT -p icmp -j ACCEPT
 
 
 # Allow DNS resolution
 $IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 
 -m state \
 --state NEW -j ACCEPT
 $IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 
 -m state \
 --state NEW -j ACCEPT
 
 # Allow ntp synchronization
 $IPTABLES -A OUTPUT -o

RE: [squid-users] Squid and iptables - need help

RE: [squid-users] Squid and iptables - need help

2 matches

Site Navigation

Mail list logo

Footer information