apache, squid and iptables

apache, squid and iptables

Post by Danie » Fri, 24 Jan 2003 08:04:38



Hi everyone!

OK here is the problem, i've been charged with making a
webserver/proxyserver for one of our departments.

I'm using SuSE 7.3 for SPARC and whatever the versions of Squid and Apache
come with that. (i can find out version numbers if its really important).
Both work perfectly! The problem starts when i start making rules for
iptables to allow only proxy traffic and web traffic (and ssh!).

so here are the rules that i'm running....

$IPTAB -P INPUT DROP
$IPTAB -P FORWARD DROP
$IPTAB -P OUTPUT DROP

$IPTAB -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTAB -A OUTPUT -p tcp --sport 22 -j ACCEPT
(this works fine for SSH)

$IPTAB -A INPUT -p tcp --dport 8080 -j ACCEPT
$IPTAB -A INPUT -p tcp --sport 8080 -j ACCEPT
$IPTAB -A OUTPUT -p tcp --dport 8080 -j ACCEPT
$IPTAB -A OUTPUT -p tcp --sport 8080 -j ACCEPT
$IPTAB -A INPUT -p udp --dport 3130 -j ACCEPT
$IPTAB -A INPUT -p udp --sport 3130 -j ACCEPT
$IPTAB -A OUTPUT -p udp --dport 3130 -j ACCEPT
$IPTAB -A OUTPUT -p udp --sport 3130 -j ACCEPT
(i tred the same format i did for ssh here for squid but it didnt work...so
i kept adding rules until it did. this works but i dont knwo if they are all
necessary, can you see any that dont need to be there?)

$IPTAB -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTAB -A INPUT -p tcp --sport 80 -j ACCEPT
$IPTAB -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTAB -A OUTPUT -p tcp --sport 80 -j ACCEPT

(this is the one i just cant get working...i tred the same format as i did
for ssh, again no joy. this still doesnt work, any clues?)

Any help would be grand..thanks in advance...
Daniel

 
 
 

apache, squid and iptables

Post by Terence Parke » Fri, 24 Jan 2003 14:34:11


I'm using a different set of rules which works fine for me. Do you have
connection tracking enabled in the kernel or as a module? I suggest some
rules which makes use of it, since HTTP / proxy communication typically
consists of several connections at different ports rather than just the
single two-way connection.

/sbin/iptables -A INPUT -i ppp0 -p tcp -m state --state
NEW,ESTABLISHED --dport 80 -j ACCEPT    #WWW

That should actually be sufficient for port 80, as you don't need UDP. I
don't think you do for proxy either... but now you got a template you can
make changes. You can also consider adding:

# Allow already established connections
/sbin/iptables -A INPUT -i ppp0 -p udp -m state --state
ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p tcp -m state --state
ESTABLISHED,RELATED -j ACCEPT

- as a generic rule for all packets, to allow subsequent packets if it was
allowed by a previous firewall rule in the first place. Necessary for FTP
connections.

Hope this helps.

Terence