iptables, squid and all related stuff

Hi,
I've got a problem with my firewall/proxy machine. I'm using iptables to
firewalling packets and squid as proxy server for http on the port 8080. Each
client in my subnet has the proxy set.
Now one client needs to access a special web service, available at port X on
server Y thru a set of asp pages. I've enabled the connection thru the
firewall for Y:X, but the client is still unable to connect to the service.
There are no error from my side, no packet logged, but a TCP_MISS in squid
logs. I have tried to enable and acl as the following:
acl web_service port X

.....
http_access web_service

but it's still not working. Any idea?

Thanks,
Luca

--
Luca Ferrari,
fluca1978@virgilio.it
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: iptables, squid and all related stuff

> Hi,
> I've got a problem with my firewall/proxy machine. I'm using iptables to
> firewalling packets and squid as proxy server for http on the port 8080.
> Each
> client in my subnet has the proxy set.
> Now one client needs to access a special web service, available at port X
> on
> server Y thru a set of asp pages. I've enabled the connection thru the
> firewall for Y:X, but the client is still unable to connect to the
> service.
> There are no error from my side, no packet logged, but a TCP_MISS in squid
> logs. I have tried to enable and acl as the following:
> acl web_service port X
>
> ....
> http_access web_service
>
> but it's still not working. Any idea?



Is the client for this web service the browser? If not - if it's some
3rd-party app - it might not be using the proxy server and trying to
connect directy. We had this problem with a product licensing app that had
a hard-wired ip address and used socket directly, ignoring the proxy.

CD
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: iptables, squid and all related stuff

On Wednesday 19 May 2004 12:09 cditrani@livedata.com's cat walking on the
keyboard wrote:

> > Hi,
> > I've got a problem with my firewall/proxy machine. I'm using iptables to
> > firewalling packets and squid as proxy server for http on the port 8080.
> > Each
> > client in my subnet has the proxy set.
> > Now one client needs to access a special web service, available at port X
> > on
> > server Y thru a set of asp pages. I've enabled the connection thru the
> > firewall for Y:X, but the client is still unable to connect to the
> > service.
> > There are no error from my side, no packet logged, but a TCP_MISS in
> > squid logs. I have tried to enable and acl as the following:
> > acl web_service port X
> >
> > ....
> > http_access web_service
> >
> > but it's still not working. Any idea?
>
> Is the client for this web service the browser? If not - if it's some
> 3rd-party app - it might not be using the proxy server and trying to
> connect directy. We had this problem with a product licensing app that had
> a hard-wired ip address and used socket directly, ignoring the proxy.

The access is done thru the web browser, as the application use as well.
Nevertheless the firewall already allows connection to such address, so I
believe it's a proxy problem.

Luca

--
Luca Ferrari,
fluca1978@virgilio.it
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: iptables, squid and all related stuff

On Wednesday 19 May 2004 14:46 Adam Lang's cat walking on the keyboard =
wrote:

> You didn't tell it what to do with that acl.
>
> http_access allow web_service
>
> Make sure you put it in front of any deny rules that would block it. =
Life
> will be easier if you just add it to the safe_port list and put a com=
ment
> at the end so you knwow hat it is for.
>
=A0
Thanks,
I've added the X port to the Safe_ports of the squid acls and now every=
thing=20
is right.

Luca


--=20
Luca Ferrari,
fluca1978@virgilio.it
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html