Re: [squid-users] iptables stops pingning (with iptables file)

From: Yogesh Patil <yogesh@dont-contact.us>
Date: Sat, 26 Jan 2008 15:19:40 +0530

Thanks you very much AMOS it is working, i need one more suggestion
from you what could be the reason of

Unloading iptables modules: [FAILED]

Regards,
Yogesh

On 1/26/08, Amos Jeffries <squid3@treenet.co.nz> wrote:
> Seems I got bored and looked at your problem anyway ...
>
> Yogesh Patil wrote:
> > * Sorry for dulipcate messages, i don't know that it doesn;'t supports
> > big attachment
> >
> > Hello,
> > I am using SQUID 2.6.STABLE17 with fedora core 8, & BIND
> > DNS SERVER configured on the same box, i have configured squid as
> > transparent proxy, and applied iptables rule by using the following
> > command
> >
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> > --to-port 3128
> >
> > service iptables save
> >
> > so when i restart iptables after appling & saving above i
> > get following:
> >
> > Flushing firewall rules: [ OK ]
> > Setting chains to policy ACCEPT: filter nat [ OK ]
> > Unloading iptables modules: [FAILED]
> > Applying iptables firewall rules: [ OK ]
> > Loading additional iptables modules: nf_conntrack_netbios_n[ OK ]
> >
> > so if i try to ping to (any public ip) from client PC after
> > enabling iptables i get request time out, but i can browse websites
> > without any problem, and if i disable iptables i can get reply from
> >
> > the (public ip) to which i am pinging and browsing also works. also
> > checked DNS resolution it works perfectly as browsing works.
> >
> > so i would like to know what is the reason of stopping ping
> > after enabling iptables and why i am getting Unloading iptables
> > modules FAILED.
> >
> > HERE IS MY /etc/iptables FILE
> > # Generated by iptables-save v1.3.8 on Sat Jan 26 17:51:31 2008
> > *nat
> > :PREROUTING ACCEPT [5:862]
> > :POSTROUTING ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> > COMMIT
> > # Completed on Sat Jan 26 17:51:31 2008
> > # Generated by iptables-save v1.3.8 on Sat Jan 26 17:51:31 2008
> > *filter
> > :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [5:454]
> > :RH-Firewall-1-INPUT - [0:0]
> > -A INPUT -j RH-Firewall-1-INPUT
> > -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> > -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> > -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
>
> This ICMP ACCEPT is in INPUT chain.
> FORWARD chain contains only a global REJECT which will aturally block
> ICMP, UDP, TCP and everythign else being forwarded.
>
> Transparent-Squid only works because www packets now secretly going to
> localhost via INPUT and OUTPUT without entering FORWARD chain.
>
> Try adding:
> -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT
>
> ahead of the first "-A FORWARD" line.
> Or reconsidering your FORWARD content entirely.
>
>
> > -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> > -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> > -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3128
> > -j ACCEPT
> > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> > COMMIT
> > # Completed on Sat Jan 26 17:51:31 2008
> >
> >
> >
> >
> > THANKS IN ADVANCE
> >
> >
> >
> > --
> > Regards,
> > Yogesh Patil
>
>
> --
> Please use Squid 2.6STABLE17+ or 3.0STABLE1+
> There are serious security advisories out on all earlier releases.
>

-- 
Regards,
Yogesh Patil
Technotux Solutions
33/114, Gandhi Nagar,
Jilha Peth, Jalgaon - 425001
Maharashtra, INDIA
Phone :- +91-257-2235596
Mobile:- +91-9890931432, 9422778329
Received on Sat Jan 26 2008 - 02:49:43 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:05 MST