Thanks Chris, I got rid of a lot of redundancy and replaced general
rules much more specific ones (e.g. SSH et al have source/destination ip
space constraints)...everything seems to be working fine now!
-Original Message-
From: Chris Robertson [mailto:[EMAIL PROTECTED]
Sent: Monday, February 06, 2006 10:59 AM
To: squid-users@squid-cache.org
Subject: RE: [squid-users] Squid and iptables - need help
Hi...
-Original Message-
From: Gregori Parker [mailto:[EMAIL PROTECTED]
Sent: Friday, February 03, 2006 10:25 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Squid and iptables - need help
I have just deployed a cluster of squid caching servers in
reverse proxy
mode, and am having trouble with iptables. When iptables is
turned on,
I can hit the caching servers, but squid times out trying to pull from
the origin servers (in our other datacenters).
I'm thinking that if I add outgoing rules for our other datacenters,
everything should be fine, but they are now in production and I cant
simply test at will...I'm planning on adding these lines, can anyone
tell me if this will fix my timeout problem when squid tries to pull
from the origin servers? I'm green on iptables configuration, so any
advice in general is welcome! Sorry for the long email, and
thank you!
Lines I plan to add:
# Allow anything *to* our various datacenters
$IPTABLES -A OUTPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT
$IPTABLES -A OUTPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT
$IPTABLES -A OUTPUT -d XX.XX.XX.X/26 -p all -j ACCEPT
Replace. Don't add...
Or maybe I can just add this instead:
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
This would be the same thing as $IPTABLES --policy OUTPUT ALLOW.
Here's the current iptables script:
--
--
-
#!/bin/sh
LAN=eth1
INTERNET=eth0
IPTABLES=/sbin/iptables
# Drop ICMP echo-request messages sent to broadcast or multicast
addresses
echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Drop source routed packets
echo 0 /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN cookie protection from SYN floods
echo 1 /proc/sys/net/ipv4/tcp_syncookies
# Don't accept ICMP redirect messages
echo 0 /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send ICMP redirect messages
echo 0 /proc/sys/net/ipv4/conf/all/send_redirects
# Enable source address spoofing protection
echo 1 /proc/sys/net/ipv4/conf/all/rp_filter
# Log packets with impossible source addresses
echo 1 /proc/sys/net/ipv4/conf/all/log_martians
# Flush all chains
$IPTABLES --flush
# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Set default policies
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP
# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Change these lines...
# Allow anything from our various datacenters
$IPTABLES -A INPUT -s XX.XX.XXX.XXX/26 -p all -j ACCEPT
$IPTABLES -A INPUT -s XX.XX1.XXX.X/26 -p all -j ACCEPT
$IPTABLES -A INPUT -s XX.XX.XX.X/26 -p all -j ACCEPT
...to...
# Allow anything from our various datacenters
$IPTABLES -A OUPUT -d XX.XX.XXX.XXX/26 -p all -j ACCEPT
$IPTABLES -A OUPUT -d XX.XX1.XXX.X/26 -p all -j ACCEPT
$IPTABLES -A OUPUT -d XX.XX.XXX.X/26 -p all -j ACCEPT
... and Squid will be able to query your datacenters. Responses will be
allowed by the --state ESTABLISHED,RELATED rule. It would probably be
a good idea to make this rule a bit more stringent (only allow TCP on
port 80, or what-have-you). But it's a good start.
# Allow incoming port 22 (ssh) connections on external interface
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22
-m state \
--state NEW -j ACCEPT
I'd REALLY strongly recommend you limit which hosts can connect to port
22. There are no shortage of SSH scanners in the wild.
# Allow incoming port 4827 (squid-htcp) connections on external
interface
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port
4827 -m state
\
--state NEW -j ACCEPT
# Allow incoming port 80 (http) connections on external interface
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80
-m state \
--state NEW -j ACCEPT
# Allow ICMP ECHO REQUESTS
$IPTABLES -A INPUT -i $INTERNET -p icmp --icmp-type echo-request -j
ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j ACCEPT
# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53
-m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53
-m state \
--state NEW -j ACCEPT
# Allow ntp synchronization
$IPTABLES -A OUTPUT -o