Hello
I have installed on my a debian machine that acts as a
gateway to my lan. The job of the gateway to to
provide a caching server for my lan as well as a
firewall. Here is my architecture:
eth1 eth0
ADSL <---> [Gateway] <---> LAN
eth1 = 192.168.192.70, eth0 = 192.168.1.1,
LAN = 192.168.1.0/24
On the Gateway, i have squid 2.5.STABLE7 and it
authenticates all the users connecting to the
internet. Thus, it is not a transparent proxy. I am
also using iptables to build the firewall. Proxy
listen on port 3128.
The firewall works but for the port 3128 i don't know
how to do.
When i browse without activating proxy on my browser,
I can surf on the internet but when i activate the
proxy, it gives:
The requested URL could not be retrieved
While trying to retrieve the URL:
http://www.yahoo.com/
The following error was encountered:
Unable to determine IP address from host name for
www.yahoo.com
The dnsserver returned:
Timeout
This means that:
The cache was not able to resolve the hostname
presented in the URL.
Check if the address is correct.
Your cache administrator is webmaster.
here what access.log says:
1103182301.857 1 192.168.1.23 TCP_DENIED/407 1761
GET http://www.yahoo.com/ - NONE/- text/html
Here is an extract of the firewall:
iptables -F
iptables -F -t nat
iptables -X
###Bloque tous par defaut
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
## Les pacquets pour localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
## Traffiques illimites dans le lan
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -j ACCEPT
## Les traffiques internes sortent avec IP Externe
iptables -t nat -A POSTROUTING -o eth1 -s
192.168.1.0/24 -j SNAT --to 192.168.192.70
## Permet les pacquets de sortir du LAN
iptables -A FORWARD -m state --state NEW,ESTABLISHED
-i eth0 -s 192.168.1.0/24 -j ACCEPT
## Permet les pacquets de retourner vers le LAN
##iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -i eth1 -d 192.168.1.0/24 -j
ACCEPT
iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -i eth1 -s ! 192.168.1.0/24 -j
ACCEPT
## WWW-CACHE
iptables -A INPUT -p tcp -i eth1 --sport 3128 -d
192.168.192.70 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth1 -s 192.168.192.70
--dport 3128 -j ACCEPT
## HTTP Client
iptables -A INPUT -p tcp -i eth1 --sport 80 -d
192.168.192.70 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth1 --dport 80 -s
192.168.192.70 -j ACCEPT
Please, could someone help me to sort the problem.
Thanks
A+
S.
-- Shafeek Sumser __________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mailReceived on Thu Dec 16 2004 - 00:37:11 MST
This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST