Need help with Firewall on FC4

ArthurDent · 01-03-2006, 09:54 AM

Hello Chaps, Happy new Year to all,

I am trying to set up a Squid proxy server and I have done so successfully on this (FC4) machine. The problem is that I cannot access it from any other PC in the house.

By a process of elimination I have worked out that this is caused by my firewall. When I disable it I can access the proxy server from other machines - turned on I can't.

The thing is FC4 comes with a pre-configured (Iptables) firewall and I don't want to mess it up. I really don't understand Iptables - it's a complete black art to me!

All I want to do is to allow access from IP addresses in the range 192.168.100.100-110 (I've only got a couple of PC's and a couple of laptops + some spare for visitors) to the FC4 box (which is on 192.168.100.101) running squid. I want to make sure that the requests really originate from those machines but otherwise that's all I want to achieve.

Can anyone explain in words of one syllable how to do this?

Many thanks in advance...

Mark

notorp · 01-03-2006, 10:27 AM

Have you tried using firestarter: http://www.fs-security.com/

or you could add under su permission to access the port you are using for squid (default 3128)

Depending on your firewall rules this will vary somthing that looks like:

Code:

iptables -A INBOUND -p tcp --dport 3128 -j ACCEPT

This allow you to control access via acl in squid.conf

Or you could use a command like this

Code:

iptables -A INBOUND -p tcp -m tcp -xxx.xxx.xxx.xxx --dport 3128 -j ACCEPT

For each ip address or use the appropriate netmask /24 for all 192.168.0.0 to .255.

In the examples above INBOUND is the rule set which maybe different on your system something like

RH-Firewall-1-INPUT for FC4 out of the box so try the following:

Code:

iptables -A RH-Firewall-1-INPUT -p tcp -m tcp -192.168.100.100 --dport 3128 -j ACCEPT

and try and access the proxy via the machine 192.168.100.100 unless that is the server then change the numbers you get the picture.

One last thing if you su then unless you su -l you'll wnat /sbin/iptables

notorp · 01-03-2006, 10:43 AM

If you get things to work remember to save the rule set otherwise you will have to set them up each time you start your machine.

Code:

iptables-save > /etc/sysconfig/iptables-new

cd /etc/sysconfig
cp iptables iptables.old

cp iptables-new iptables

ArthurDent · 01-03-2006, 11:01 AM

Hi notorp,

Thanks very much. This was (very close to) exactly what I was looking for. Unfortunately it doesn't quite work...

Code:

[root@localhost Installs]# /sbin/iptables -A RH-Firewall-1-INPUT -p tcp -m tcp -192.168.100.100 --dport 8080 -j ACCEPT
iptables v1.3.0: Unknown arg `-m'
Try `iptables -h' or 'iptables --help' for more information.
[root@localhost Installs]#

On another (sort of related) subject...

Whilst I have got the firewall turned off I notice that I can now browse for, and find, the windows shares on my network - something I could never do before (without a great deal of pain). I would really like to be able to do this.

I checked out the "Shields Up" website with Iptables turned off and I still get a complete good bill of health. I guess this means that much of the firewalling is being done by the router.

Anyhow - I feel that I am close to a solution...

What should I try next?

Thanks again...

notorp · 01-07-2006, 01:15 PM

Firstly SORRY I didn't get right back to you but my computer died and I've just had to rebuild it. I think I have chosen the wrong motherboard as it isn't very Linux compatible at the moment!

Not your problem though!

Secondly sorry I'm a berk and mistyped the command over and over it should read:

Code:

iptables -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.100.100 --dport 3128 -j ACCEPT

Can you see the missing -s instead of -192.168.100.100 the "s" tell it what the source is!

Try the above and see if it works.