iptables + squid + руководство над душой

[parfeon]

Прошу помощи! ОЧЕНь!

Дали мне провод с интернетом в офис входящий от месного провайдера (eth1) интерфейс

Местная локальная сеть (eth0)

Настраиваю по этому руководству squid

http://blog.sozinov.eu/2007/04/debian-proxy.html

Суть в том что пакеты по 80 проту режутся даже не доходя до squid-а, трасисовка из консоли проходит без проблем достукиваюсь до гугла

вот что выдает iptables-save

Код: [Выделить]

# Generated by iptables-save v1.4.2 on Sun Dec 12 17:36:14 2010
*mangle
:PREROUTING ACCEPT [2643:215848]
:INPUT ACCEPT [2382:191947]
:FORWARD ACCEPT [246:22521]
:OUTPUT ACCEPT [1873:520475]
:POSTROUTING ACCEPT [2217:556878]
COMMIT
# Completed on Sun Dec 12 17:36:14 2010
# Generated by iptables-save v1.4.2 on Sun Dec 12 17:36:14 2010
*nat
:PREROUTING ACCEPT [177:15064]
:POSTROUTING ACCEPT [12:2054]
:OUTPUT ACCEPT [34:4807]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Sun Dec 12 17:36:14 2010
# Generated by iptables-save v1.4.2 on Sun Dec 12 17:36:14 2010
*filter
:INPUT ACCEPT [57:7843]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1873:520475]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ! eth1 -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o -eth1 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sun Dec 12 17:36:14 2010

Воопрос в том что же его режит, помогите кто может, руководство давит уже...

[AnrDaemon]

Не должны резаться.
Без заворота всё работает?

[parfeon]

В том то и дело что непонятно, пишу на виндовой машине tracert ya.ru

До яндекса доходит без проблем.

в браузере же никак.

логи squid пустые, тоесть я могу только один вывод сделать что режет iptables
может в закрытых портах дело?

[Unreg]

sudo cat /etc/squid/squid.conf|grep -v "^#"|awk NF
sudo cat /etc/network/interfaces
sudo cat /etc/resolv.conf
/sbin/ifconfig
netstat -nr

Пользователь решил продолжить мысль 12 Декабря 2010, 18:33:00:

sudo netstat -lpant|grep LISTEN; sudo netstat -lpanu

[parfeon]

sudo cat /etc/squid/squid.conf|grep -v "^#"|awk NF

Код: [Выделить]

visible_hostname proxy
acl our_networks src 192.168.0.0/255.255.255.0
http_access allow our_networks
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl office src 192.168.0.0/24
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow all
icp_access allow localnet
icp_access deny all
http_port 127.0.0.1:3128
http_port 192.168.0.254:3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
cache_mgr v.palgov@gmail.com
hosts_file /etc/hosts
coredump_dir /var/spool/squid

sudo cat /etc/network/interfaces

Код: [Выделить]

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
allow-hotplug eth0
iface eth0 inet static
address 192.168.0.1
netmask 255.255.255.0
#gateway 192.168.0.1


allow-hotplug eth1
iface eth1 inet static
address 80.92.209.42
netmask 255.255.255.252
gateway 80.92.209.41
auto eth1

sudo cat /etc/resolv.conf

Код: [Выделить]

domain mshome.net
search mshome.net
nameserver 217.65.208.2
nameserver 217.65.209.2

/sbin/ifconfig

Код: [Выделить]

eth0      Link encap:Ethernet  HWaddr 00:1c:c4:fb:d0:43 
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::21c:c4ff:fefb:d043/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2112 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1532 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:186497 (182.1 KiB)  TX bytes:222539 (217.3 KiB)
          Interrupt:16

eth1      Link encap:Ethernet  HWaddr 00:1c:c4:fb:d0:44 
          inet addr:80.92.209.42  Bcast:80.92.209.43  Mask:255.255.255.252
          inet6 addr: fe80::21c:c4ff:fefb:d044/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:206 errors:0 dropped:0 overruns:0 frame:0
          TX packets:274 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:44668 (43.6 KiB)  TX bytes:26720 (26.0 KiB)
          Interrupt:17

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1040 (1.0 KiB)  TX bytes:1040 (1.0 KiB)


netstat -nr

Код: [Выделить]

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
80.92.209.40    0.0.0.0         255.255.255.252 U         0 0          0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         80.92.209.41    0.0.0.0         UG        0 0          0 eth1


[Unreg]

# Generated by iptables-save v1.4.2 on Fri Nov 26 19:31:03 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 3128 -m conntrack --ctstate NEW -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
COMMIT
# Completed on Fri Nov 26 19:31:03 2010
# Generated by iptables-save v1.4.2 on Fri Nov 26 19:31:03 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp -m multiport --dports 80,8080 -j DNAT --to-destination 192.168.0.1:3128
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to-source 80.92.209.42
COMMIT
# Completed on Fri Nov 26 19:31:03 2010
# Generated by iptables-save v1.4.2 on Fri Nov 26 19:31:03 2010
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Nov 26 19:31:03 2010
# Generated by iptables-save v1.4.2 on Fri Nov 26 19:31:03 2010
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Nov 26 19:31:03 2010

visible_hostname proxy
acl our_networks src 192.168.0.0/255.255.255.0
http_access allow our_networks
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8   # RFC1918 possible internal network
acl localnet src 172.16.0.0/12   # RFC1918 possible internal network
acl localnet src 192.168.0.0/16   # RFC1918 possible internal network
acl SSL_ports port 443      # https
acl SSL_ports port 563      # snews
acl SSL_ports port 873      # rsync
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443      # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210      # wais
acl Safe_ports port 1025-65535   # unregistered ports
acl Safe_ports port 280      # http-mgmt
acl Safe_ports port 488      # gss-http
acl Safe_ports port 591      # filemaker
acl Safe_ports port 777      # multiling http
acl Safe_ports port 631      # cups
acl Safe_ports port 873      # rsync
acl Safe_ports port 901      # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl office src 192.168.0.0/24
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow office
http_access allow all
icp_access allow localnet
icp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:      1440   20%   10080
refresh_pattern ^gopher:   1440   0%   1440
refresh_pattern -i (/cgi-bin/|\?) 0   0%   0
refresh_pattern (Release|Package(.gz)*)$   0   20%   2880
refresh_pattern .      0   20%   4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
cache_mgr v.palgov@gmail.com
hosts_file /etc/hosts
coredump_dir /var/spool/squid