I have it working. ;-)
When you set default policy to deny you have to open up all of the ports
needed for normal service. This includes all ports above 1024 for both
UDP and TCP traffic, at the minimum. You also need to open your box for
ICMP traffic as it's needed for a wide array of networking functions.
You must also explicity allow the ports below 1024 that your selected
services need for udp and tcp traffic. (I believe that there is kernel
magic involved in masq, so maybe that explains why it works in masq mode
but not for the proxy. But I could be wrong.)
If you've already thought of all of that, try turning on some packet
logging to see where things are getting lost. Just put a -l into each
chain you suspect may be the culprit and see what happens when traffic
hits it, or if traffic hits it at all.
I've probably got an real working ruleset around here somewhere I wrote
for a previous client that I could sanitize and send you, if you think
it would be of help (it is a quite complex ruleset that might be
overkill...the ipchains and firewall howto at the LDP are probably more
helpful).
Paul Blacquiere wrote:
>
> Hi,
>
> I know there are numerous references to this on the FAQ & Archives, but
> I have read them all and still can't get this to work, and the worst is
> I know it is something obvious & simple.
>
> System:
> Linux 2.2.16 (RedHat 6.2), Squid 2.2.Stable4, Dual Ethernet, Firewall
> configured by ipchains.
>
> Problem:
> If I configure the firewall as default policy of accept, and add the
> magic redirect entry, it works fine, but when I change say input to
> deny, and setup what appears to be the correct set of chains (this set
> of chains works, if I use masquerading) it fails, no activity in the
> squid access log.
>
> Any advice, comments welcome, even if they are only words of
> encouragement, 'like I have it working'
--
Joe Cooper <joe@swelltech.com>
Affordable Web Caching Proxy Appliances
http://www.swelltech.com
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Fri Aug 18 2000 - 05:53:18 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:54:55 MST