[squid-users] iptables and squid reverse proxy accelerator config

From: nick humphrey <nick.c.humphrey@dont-contact.us>
Date: Fri, 18 Aug 2006 14:20:54 +0200

hi ya'll, i'd just like to preface this by saying that i have been
looking in the archive and on the internet for 4 days straight and
haven't found a clear answer to my problem =)

i have a linux (rh7) machine (webMachine, ip: 192.168.0.5) running a
web server on port 7090.
i have another linux (debian) machine on the same network
(firewallMachine, two interfaces ip: 10.0.0.40 [out to inet], ip:
192.168.0.2 [connected to internal network]).

on firewallMachine i have also installed squid, to reverse proxy for
webMachine, i.e. hide all external ip addresses from webMachine, so it
thinks only 1 ip address is communicating with it.

squid is configured to listen to port 7090 and then redirect
everything to webMachine on port 7090 (trying to keep it simple at
first).
the only lines i've changed in the default squid.conf configuration are:
http_port 7090
httpd_accel_host 192.168.0.5
httpd_accel_port 7090
httpd_accel_single_host on
httpd_accel_uses_host_header on

(i can't see anything else in that config file that would need to be
enabled/disabled, am i right?)

here's my firewall.sh:
#!/bin/sh
SYSCTL="/sbin/sysctl -w"

# IPTables Location - adjust if needed
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"

# Interface Information
INET_IFACE="eth0"
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.0.2"
LOCAL_NET="192.168.0.0/24"
LOCAL_BCAST="192.168.0.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"

# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi

# Load Modules
echo "Loading kernel modules ..."
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

# Kernel Parameter Configuration
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/ip_forward
else
    $SYSCTL net.ipv4.ip_forward="1"
fi

# This enables SYN flood protection.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    $SYSCTL net.ipv4.tcp_syncookies="1"
fi

# This enables source validation by reversed path according to RFC1812.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
fi

# This kernel parameter instructs the kernel to ignore all ICMP
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi

# This option can be used to accept or refuse source routed packets.
if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi

# This option accepts only from gateways in the default gateways list.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi

# This option logs packets from impossible addresses.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
    $SYSCTL net.ipv4.conf.all.log_martians="1"
fi

# Flush Any Existing Rules or Chains
echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi

# Rules Configuration
# Filter Table
# Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# User-Specified Chains
# Create user chains to reduce the number of rules each packet must traverse.
echo "Create and populate custom rule chains ..."

# Create a chain to filter INVALID packets
$IPT -N bad_packets

# Create another chain to filter bad tcp packets
$IPT -N bad_tcp_packets

# Create separate chains for icmp, tcp (incoming and outgoing), and
incoming udp packets.
$IPT -N icmp_packets

# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound

# Used to block outbound UDP services from internal network, default
to allow all
$IPT -N udp_outbound

# Used to allow inbound services if desired, default fail except for
established sessions
$IPT -N tcp_inbound

# Used to block outbound services from internal network, default to allow all
$IPT -N tcp_outbound

# Populate User Chains
# bad_packets chain
# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG
--log-prefix "Invalid packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP

# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPT -A bad_packets -p ALL -j RETURN

# bad_tcp_packets chain
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn (possible port scan): "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN

# icmp_packets chain
$IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "ICMP
Fragment (possible DoS attack): "
$IPT -A icmp_packets --fragment -p ICMP -j DROP

# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN

# udp_inbound chain
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port
68 -j ACCEPT

# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN

# udp_outbound chain
# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -j ACCEPT

# tcp_inbound chain
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT

# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

# ICQ File Transfers & Other Advanced Features
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 5000:5100 -j ACCEPT

# MSN Messenger File Transfers
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 6891:6900 -j ACCEPT

# IMAP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT

# SMTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN

# tcp_outbound chain
# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -j ACCEPT

# INPUT Chain
echo "Process INPUT chain ..."
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

# DOCSIS compliant cable modems
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP

# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT

# Inbound Internet Packet Rules
# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# Drop without logging broadcasts that get this far.
$IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP

# FORWARD Chain
echo "Process FORWARD chain ..."

# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets

# only existing and related packages are allowed to enter the network
$IPT -A FORWARD -i $INET_IFACE -o $LOCAL_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT

# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -o $INET_IFACE -j tcp_outbound

# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -o $INET_IFACE -j udp_outbound

# Accept TCP packets we want to forward from internal sources, NICK
ENABLED THIS (WAS THIS HERE AS DEFAULT, BUT NOT ENABLED?)
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

# Accept UDP packets we want to forward from internal sources
#$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

# Deal with responses from the internet
#$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# webMachine on 192.168.0.5
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 7090 -j ACCEPT

# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -o $INET_IFACE -j ACCEPT

# Log packets that still don't match
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-prefix "FORWARD packet died: "

# OUTPUT Chain
echo "Process OUTPUT chain ..."
# Generally trust the firewall on output, However, invalid icmp
packets need to be dropped, to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -j ACCEPT

# nat table
echo "Load rules for nat table ..."
# PREROUTING chain
# send all incoming traffic to squid firewallMachine
$IPT -t nat -A PREROUTING -p tcp --dport 7090 -j DNAT --to 192.168.0.2

# POSTROUTING chain
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

# mangle table
echo "Load rules for mangle table ..."
echo "THE WALL has been loaded."

i can't seem to reach webMachine from the internet (everything is set
up correctly on my adsl router [sits between firewallMachine and
internet], that much i do know).

Thanks for any help and a quick reponse =)
Nick
Received on Fri Aug 18 2006 - 06:20:56 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Sep 01 2006 - 12:00:02 MDT