Your INPUT and OUPUT rules looks a little odd.. but as you did not include
the full ruleset it is hard to tell.. (iptables -L only gives a summary of
the rules.. it is better to use iptables-save)
Regards
Henrik
On Sun, 28 Dec 2003, Vincent GAUVIN wrote:
> Hello all,
> I am running squid2.5.stable4 on a server (kernel 2.4.7.20. masquerade with
> iptables).
> As soon as one of my workstation try a web request i read that in my
> cache.log file:
>
> 2003/12/24 13:19:24| comm_udp_sendto: FD 4, 212.27.32.176, port 53: (1)
> Operation not permitted
> 2003/12/24 13:19:24| idnsSendQuery: FD 4: sendto: (1) Operation not
> permitted
>
> and obvioulsy it does not work:-((
> let me tell you that i have no Local DNS running and that 212.27.32.175 is
> one of my ISP's DNS.
> If i stop running squid everything is ok.
> i think my firewall-masq rules are not right but i can't find what is wrong
> (i join my squid.conf and ipatbles rules)
>
> Someone has a idea to help me?
> thank's
> Cordialement,
> _____________________________________________________________________
> Vincent GAUVIN - Formateur TICE
> Circonscription de REIMS VI 13 rue Chanzy BP 2028 51070 REIMS Cédex (France)
> Tel : (33) 03.26.02.19.14
> mailto : vincent.gauvin@ac-reims.fr
> http://ienreims6.dyndns.org/
> Le site des TICE dans la Marne http://tic-et-tice.dyndns.org
> _____________________________________________________________________
>
> "iptables -L"
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere tcp spt:ssh
>
>
> "squid.conf"
>
> #port sur lequel le proxy Ă(c)coute les clients Web
> http_port 8080
> cache_effective_user squid
> cache_effective_group squid
>
> #ne pas utiliser le cache pour ? et .cgi
> hierarchy_stoplist cgi-bin ? .cgi
>
>
> #mĂ(c)moire RAM allouĂ(c)e au proxy
> cache_mem 8 MB
>
> #taille maximale des fichiers qui seront enregistrĂ(c)s dans le cache
> maximum_object_size 4096 KB
>
> #rĂ(c)pertoire dans lequel seront stockĂ(c)s les fichiers enregistrĂ(c)s.
> #dans cet exemple, la taille maximale de ce rĂ(c)pertoire sera de 200Mo
> # il y aura 16 sous divisions dans /var/spool/squid
> #- et il y aura 256 divisions dans ces 16 sous divisions
> cache_dir ufs /var/spool/squid 200 16 256
>
>
> #fichiers de log nĂ(c)cessaires pour contrĂ´ler le fonctionnement du cache
> cache_access_log /usr/local/squid/var/logs/access.log
> cache_log /usr/local/squid/var/logs/cache.log
> cache_store_log /usr/local/squid/var/logs/store.log
> cache_swap_log /usr/local/squid/var/logs/swap.log
>
>
> #localisation de la table MIME de squid
> mime_table /usr/local/squid/etc/mime.conf
>
> #informations relatives au processus
> pid_filename /var/run/squid.pid
> debug_options ALL,1
>
> #listes d'accès
> acl allowed_hosts src 192.168.0.0/255.255.0.0
> # acl localhost src 127.0.0.1/255.255.255.255
> acl manager proto cache_object
> # acl all src 0.0.0.0/0.0.0.0
> acl SSL_ports port 443 563
> acl safe_ports port 80 21 443 563 70 210 1025-65535
> acl CONNECT method CONNECT
> acl serveurlocal dst 127.0.0.1/255.255.255.255
>
>
> #autorisation/interdiction des listes dĂ(c)finies
> http_access allow manager
> http_access allow manager allowed_hosts
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow allowed_hosts
> http_access allow serveurlocal
>
>
> #email du manager du cache
> cache_mgr vincent.gauvin@ac-reims.fr
>
>
> visible_hostname cache
>
> #rotation des fichiers log
> logfile_rotate 5
>
>
> httpd_accel_host virtual
> httpd_accel_port 8080
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
>
> httpd_accel_single_host off
> log_fqdn on
>
> #pour exclure du cache l'intranet (local)
> acl web-local dstdomain localhost
> always_direct allow web-local
>
Received on Sun Dec 28 2003 - 09:53:27 MST
This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:26 MST