Re: Squid as default gateway in proxy mode.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
ok worked after one restart i dont know what was the problem but
worked, but still didnt drop the connection by this command. i can
stil ssh and even send receive email
iptables -t filter -P FORWARD DROP

as shared, so i can open all the ports 1 by 1.

Thanks


On Fri, Apr 20, 2012 at 8:15 PM, Muhammad Yousuf Khan <sirtcp@xxxxxxxxx> wrote:
On Sat, Apr 14, 2012 at 3:40 PM, Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote:
Hello,

Muhammad Yousuf Khan <sirtcp@xxxxxxxxx> wrote:

now the problem part is i want to ping outside host to verify the
connectivity of internet for that all the time i have to open the SSH
the console and ping. but what i want is, i should also ping it from
host computers as well. however i don't want to NAT all the traffic
coming from inside and going outside. rather what i want is just to
NAT only ICMP Echo Rep and Req so that i can at least ping outside
host

As Joe wrote, this is not the right way to do things. See below.

with out SSH the Squid console. which is very bothering.
My network diagram is very simple

<Squid
Box>--------eth0(192.18.30.2)----------------------<192.168.30.1-ISP
Router>
       I
       I
   eth1(192.168.1.1)
       I
       I
   (local network 192.168.1.0/24)


And why i am using Squid as a Gateway because i just want to minimize
unwanted nods that needs to be monitor all the time and batter
control over traffic with IPtables firewall. i am using this line to
NAT very specific ports to allow certain facilities like Email ,
Remote desktop and stuff. and this is working for me.

iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE

This is not the right way to do things. NAT is not intended for
filtering. By not masquerading outgoing traffic, you just let packets go
out with their original source address instead of dropping them. You
just rely on the ISP router not knowing how to handle the original
source address. This is wrong.

The right way is to only accept specific through your router, and then
NAT all traffic that was allowed to go out. Ok, it is a bit more
complicated.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t filter -P FORWARD DROP
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED \
  -j ACCEPT
iptables -t filter -A FORWARD -o eth0 -m state --state NEW \
  -p tcp --dport 110 -j ACCEPT

sorry for the late responce but i was stucked in some other taskes.
now its my time to hit my head by the wall i tried every single
configuration on the internet. but i can not reach nor  ping the
destination by below example. even fwbuilder is also generating the
same script but its not working
however my outside interface was eth1 and inside eth0 so i repeace my
setting accordingly but it doest work either.
please share

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

i check several website telling me the same thing but when i can not
ping the outside destination 8.8.4.4 which is google DNS . i am lost
kindly help



now i am stuck on allowing the ping traffic. please help

iptables -t filter -A FORWARD -0 eth0 -p icmp --icmp-type echo-request \
  -j ACCEPT

Joe wrote :
only TCP and UDP have 'ports'

No. ICMP does not have ports, but other protocols such as SCTP and DCCP
have ports too.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/4F89541A.8080501@xxxxxxxxxxxxxxx



--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/CAGWVfM=zeBd0QLwPQmcSmvEzm8JDuUu1mswfW1ZDfuuF+7KAQg@xxxxxxxxxxxxxx

Relevant Pages

  • Re: Squid as default gateway in proxy mode.
    ... the console and ping. ... NAT only ICMP Echo Rep and Req so that i can at least ping outside ... No. ICMP does not have ports, but other protocols such as SCTP and DCCP ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: Squid as default gateway in proxy mode.
    ... the console and ping. ... NAT only ICMP Echo Rep and Req so that i can at least ping outside ... No. ICMP does not have ports, but other protocols such as SCTP and DCCP ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: Other computers cannot ping my computer
    ... > iptables -L -t mangle ... > to list the contents of nat table also. ... > trying to ping your hostname or your IP address? ... The output of iptables -L -t mangle is as follows: ...
    (RedHat)
  • Re: ipchains -> iptables
    ... > except empty chains INPUT, ... # iptables -t nat -nL ... To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list ...
    (Fedora)
  • Re: ssh between computers on my home network
    ... Is the "ping" success if you run it as root? ... list your "iptables -L" for all of the involved computers. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)