Dear All
I have squid proxy server running in my office, my users are able to access internet through thier browser which is pointing to squid, but my outlook users are not able to send / receive mail. Configured proxy as transparent proxy mode and also have iptables script running, my squid box is configured as router, but still my users not able to send mails..... Enclosed the our squid config & firewall script. Can anyone pls. help me out at the earliest.
Regards
Sakthi
**** Squid ****
#Default:
http_port 8080
acl all src 0.0.0.0/0.0.0.0
acl ismartchn src "/etc/squid/ismartchn"
acl citibank src "/etc/squid/citibank"
acl firstflight src "/etc/squid/firstflight"
acl backoffice src "/etc/squid/backoffice"
acl scbbackoffice src "/etc/squid/scbbackoffice"
acl suntv src "/etc/squid/suntv"
acl rejected_urls url_regex "/etc/squid/rejected_urls"
acl allowed_citi dstdomain "/etc/squid/allowed_citi"
acl allowed_ff dstdomain "/etc/squid/allowed_ff"
acl allowed_scb dstdomain "/etc/squid/allowed_scb"
acl allowed_suntv dstdomain "/etc/squid/allowed_suntv"
http_access deny rejected_urls
http_access allow citibank allowed_citi ismartchn
http_access allow firstflight allowed_ff ismartchn
http_access allow scbbackoffice allowed_scb ismartchn
http_access allow suntv allowed_suntv ismartchn
http_access deny !ismartchn
http_access deny all
#Default:
httpd_accel_host virtual
httpd_accel_port 8080
#Default:
httpd_accel_with_proxy on
#Default:
httpd_accel_uses_host_header on
***** Firewall *******
# Internet Configuration
INET_IP="58.68.25.186"
INET_IFACE="eth1"
INET_BROADCAST="58.68.25.255"
# Lan Configuration
LAN_IP="192.168.100.10"
LAN_IP_RANGE="192.168.100.0/16"
LAN_BROADCAST_ADDRESS="192.168.100.255"
LAN_IFACE="eth0"
# LOCAL Host Configuration
LO_IFACE="lo"
LO_IP="127.0.0.1"
# IPTABLES Configuration
#IPTABLES="/etc/sysconfig/iptables"
# Module Loading
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Creating chain for bad_tcp_packet chain
iptables -N bad_tcp_packets
# Creating Separate chains for ICMP,TCP & UDP
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets
# bad_tcp_packets chain
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not Syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# ALLOWED Chain
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j ACCEPT
# TCP RUles
iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 23 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 23 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 8080 -j allowed
#iptables -A tcp_packets -p TCP -s 0/0 --dport 3128 -j allowed
# Dropping MULTICAST
iptables -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST --destination-port 135:139 -j DROP
# UDP Ports
iptables -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
# Dropping DHCP request from outside Network
iptables -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 --destination-port 67:68 -j DROP
#ICMP Rules
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# INPUT CHain
# Bad TCP PACKETS
iptables -A INPUT -p TCP -j bad_tcp_packets
# Rules for Special Networks not part of INternet
iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT
# RULES for INCOMING Packets from the INternet
iptables -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j udp_packets
iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Dropping Multicast Packets
iptables -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
# LOG weird packets that don't match the abvoe
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died"
# FORWARD Chain Rules
# BAD TCP Packets
iptables -A FORWARD -p tcp -j bad_tcp_packets
# Accept packets we wwant to forward
iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# LOG weird packets that don't match the abvoe
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died"
# OUTPUT CHAIN
# BAD TCP PACKETS we dont'want
iptables -A OUTPUT -p tcp -j bad_tcp_packets
# Special OUTPUT Rules to decide which IP's to allow
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
# LOG weird packets that don't match the abvoe
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died"
# IP Forwarding and NAT
iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
iptables -t nat -A POSTROUTING -p TCP -s 0/0 -o $INET_IFACE --dport 25 -j SNAT --to-source $INET_IP
iptables -t nat -A POSTROUTING -p TCP -s 0/0 -o $INET_IFACE --dport 110 -j SNAT --to-source $INET_IP
iptables -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 8080
I have squid proxy server running in my office, my users are able to access internet through thier browser which is pointing to squid, but my outlook users are not able to send / receive mail. Configured proxy as transparent proxy mode and also have iptables script running, my squid box is configured as router, but still my users not able to send mails..... Enclosed the our squid config & firewall script. Can anyone pls. help me out at the earliest.
Regards
Sakthi
**** Squid ****
#Default:
http_port 8080
acl all src 0.0.0.0/0.0.0.0
acl ismartchn src "/etc/squid/ismartchn"
acl citibank src "/etc/squid/citibank"
acl firstflight src "/etc/squid/firstflight"
acl backoffice src "/etc/squid/backoffice"
acl scbbackoffice src "/etc/squid/scbbackoffice"
acl suntv src "/etc/squid/suntv"
acl rejected_urls url_regex "/etc/squid/rejected_urls"
acl allowed_citi dstdomain "/etc/squid/allowed_citi"
acl allowed_ff dstdomain "/etc/squid/allowed_ff"
acl allowed_scb dstdomain "/etc/squid/allowed_scb"
acl allowed_suntv dstdomain "/etc/squid/allowed_suntv"
http_access deny rejected_urls
http_access allow citibank allowed_citi ismartchn
http_access allow firstflight allowed_ff ismartchn
http_access allow scbbackoffice allowed_scb ismartchn
http_access allow suntv allowed_suntv ismartchn
http_access deny !ismartchn
http_access deny all
#Default:
httpd_accel_host virtual
httpd_accel_port 8080
#Default:
httpd_accel_with_proxy on
#Default:
httpd_accel_uses_host_header on
***** Firewall *******
# Internet Configuration
INET_IP="58.68.25.186"
INET_IFACE="eth1"
INET_BROADCAST="58.68.25.255"
# Lan Configuration
LAN_IP="192.168.100.10"
LAN_IP_RANGE="192.168.100.0/16"
LAN_BROADCAST_ADDRESS="192.168.100.255"
LAN_IFACE="eth0"
# LOCAL Host Configuration
LO_IFACE="lo"
LO_IP="127.0.0.1"
# IPTABLES Configuration
#IPTABLES="/etc/sysconfig/iptables"
# Module Loading
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Creating chain for bad_tcp_packet chain
iptables -N bad_tcp_packets
# Creating Separate chains for ICMP,TCP & UDP
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets
# bad_tcp_packets chain
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not Syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# ALLOWED Chain
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j ACCEPT
# TCP RUles
iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 23 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 23 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 8080 -j allowed
#iptables -A tcp_packets -p TCP -s 0/0 --dport 3128 -j allowed
# Dropping MULTICAST
iptables -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST --destination-port 135:139 -j DROP
# UDP Ports
iptables -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
# Dropping DHCP request from outside Network
iptables -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 --destination-port 67:68 -j DROP
#ICMP Rules
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# INPUT CHain
# Bad TCP PACKETS
iptables -A INPUT -p TCP -j bad_tcp_packets
# Rules for Special Networks not part of INternet
iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT
# RULES for INCOMING Packets from the INternet
iptables -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j udp_packets
iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Dropping Multicast Packets
iptables -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
# LOG weird packets that don't match the abvoe
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died"
# FORWARD Chain Rules
# BAD TCP Packets
iptables -A FORWARD -p tcp -j bad_tcp_packets
# Accept packets we wwant to forward
iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# LOG weird packets that don't match the abvoe
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died"
# OUTPUT CHAIN
# BAD TCP PACKETS we dont'want
iptables -A OUTPUT -p tcp -j bad_tcp_packets
# Special OUTPUT Rules to decide which IP's to allow
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
# LOG weird packets that don't match the abvoe
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died"
# IP Forwarding and NAT
iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
iptables -t nat -A POSTROUTING -p TCP -s 0/0 -o $INET_IFACE --dport 25 -j SNAT --to-source $INET_IP
iptables -t nat -A POSTROUTING -p TCP -s 0/0 -o $INET_IFACE --dport 110 -j SNAT --to-source $INET_IP
iptables -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 8080