RE: apt fails behind tranparent proxy

To: "'Joakim Seeberg'" <debian@seebergit.dk>, <debian-firewall@lists.debian.org>
Subject: RE: apt fails behind tranparent proxy
From: "Carlos Valderrama" <cvalde@perucam.com>
Date: Mon, 8 Nov 2010 20:42:18 -0500
Message-id: <[🔎] 003501cb7faf$590168a0$0b0439e0$@perucam.com>
In-reply-to: <[🔎] 4CD886CC.2050702@seebergit.dk>
References: <[🔎] 4CD886CC.2050702@seebergit.dk>

Well, apparently not resolved, remove the DROP rules and checks to resolve
the workstations with apt-get update, I recommend you do not work with
interfaces because you can confuse, would this be something basic

for u in INPUT FORWARD OUTPUT; do iptables -A $u -m state --state
RELATED,ESTABLISHED -j ACCEPT; done

LAN=192.168.100.0/24
IPSQUID=192.168.100.2
iptables -N PERMITS-SQUID
iptables -N PERMITS-SSH
iptables -N PERMITS-DNS
iptables -N PERMITIS-WEB
iptables -N PERMITIS-WEB-SSL

iptables -A PREROUTING -s $LAN -p tcp -m tcp --dport 80 -j DNAT
--to-destination $IPSQUID:3128

iptables -A INPUT -p tcp -m tcp --dport 3128 -j PERMITS-SQUID
iptables -A INPUT -p tcp -m tcp --dport 22 -j PERMITS-SSH

iptables -A FORWARD -p udp -m udp --dport 53 -j PERMITS-DNS
iptables -A FORWARD -p tcp -m tcp --dport 80 -j PERMITIS-WEB
iptables -A FORWARD -p tcp -m tcp --dport 443 -j PERMITIS-WEB-SSL

iptables -A OUTPUT -p udp -m udp --dport 53 -j PERMITS-DNS
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j PERMITIS-WEB

iptables -A PERMITS-SSH -d $IPSQUID -p tcp -m tcp --sport 1024: --dport 22
-m state --state NEW -j ACCEPT -m comment --comment "SSH INPUT"

" here could be more strictly tied by the mac of each workstation"
iptables -A PERMITS-SQUID -s $LAN -d 192.168.100.2 -p tcp -m tcp --sport
1024: --dport 3128 -m state --state NEW -j ACCEPT
iptables -A PERMITS-DNS -s $LAN -p udp -m udp --dport 53 -j ACCEPT
iptables -A PERMITIS-WEB -s $LAN -p tcp -m tcp --sport 1024: --dport 80 -m
state --state NEW -j ACCEPT
iptables -A PERMITIS-WEB-SSL -s $LAN -p tcp -m tcp --sport 1024: --dport 443
-m state --state NEW -j ACCEPT

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP




-----Mensaje original-----
De: Joakim Seeberg [mailto:debian@seebergit.dk] 
Enviado el: lunes, 08 de noviembre de 2010 06:25 p.m.
Para: debian-firewall@lists.debian.org
Asunto: apt fails behind tranparent proxy

Hi, I have a debian lenny server that i use ass transparent proxy with
webfilter. For this i use an iptables script, squid3 and squidguard. 
With lenny worstations apt-get update often fails but this never happens
with squeeze workstations. All worstations get ipaddress and dns from dhcp
server. The transparent proxy works as expected when browsing. The iptables
script is from a howto so my question is if anything in the script explains
the apt-get behavior.

The apt-get update errors are (from memory):
  could not resolve "debian-mirror-hostname"
  could not download "debian-mirror-hostname" Release.gpg

The sources.list contains several mirrors (backports, multimedia,
security,,,) but only some fails but not the same everytime i run apt-get
update.

#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support modprobe
ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client #modprobe
ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter
policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access
to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j
ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m
state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router
for Rest of LAN iptables --table nat --append POSTROUTING --out-interface
$INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j
ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from
LAN systems to squid 3128
($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to
$SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A
PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j
DROP


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Archive: [🔎] 4CD886CC.2050702@seebergit.dk">http://lists.debian.org/[🔎] 4CD886CC.2050702@seebergit.dk


__________ Información de ESET NOD32 Antivirus, versión de la base de firmas
de virus 5602 (20101108) __________

ESET NOD32 Antivirus ha comprobado este mensaje.

http://www.eset.com

Reply to:

References:
- apt fails behind tranparent proxy
  - From: Joakim Seeberg <debian@seebergit.dk>

Prev by Date: apt fails behind tranparent proxy
Next by Date: Problems in PMDF Mailserv V6.1 command processing
Previous by thread: apt fails behind tranparent proxy
Next by thread: Problems in PMDF Mailserv V6.1 command processing
Index(es):
- Date
- Thread