Diladele conflicting iptables settings

[Ashima Loomba]

  Hi,

     I am configuring Diladele 4 in xubuntu 14.04 lts. Every thing working fine. Now I put some iptables rules, I am not able to browse.
My xubuntu box has two nic. One for external connection and one for internal connection. So I would like it work as a simple gateway. Here is my firewall settings.

______________________________________________________________
#!/bin/bash
#Simple Firewall Script.

EXT_DEV=eth0
INT_DEV=eth1
INT_NET=192.168.11.0/24
echo  $EXT_DEV
echo $INT_DEV
echo $INT_NET#Flush all existing chains
#sudo /sbin/iptables -F
sudo iptables -F
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP

### Loopback device OK
sudo iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
sudo iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

sudo iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
sudo iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT
sudo iptables -A FORWARD -p icmp --icmp-type any -j ACCEPT

### Allow all Internal traffic to Server
sudo iptables -A INPUT -i $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT
sudo iptables -A OUTPUT -o $INT_DEV -s $INT_NET -d $INT_NET -j ACCEPT

###############################################################
### OUTBOUND Rule: Allow ALL packets out the external device
iptables -A OUTPUT -o $EXT_DEV -j ACCEPT
iptables -A FORWARD -i $INT_DEV -o $EXT_DEV -j ACCEPT

###############################################################
### MASQUERADING: All packets from the internal network will
### appear as if they had originated from the firewall.
sudo iptables -t nat -A POSTROUTING -o $EXT_DEV -s $INT_NET -j MASQUERADE


sudo iptables -A INPUT -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i $EXT_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 20 -j ACCEPT
sudo iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 21 -j ACCEPT
sudo iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 22  -j ACCEPT

sudo iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 25 -j ACCEPT
sudo iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 465 -j ACCEPT

sudo iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 80 -j ACCEPT
sudo iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 443 -j ACCEPT

# New INBOUND Connection: LDAPS Server (over SSL)
sudo iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 636 -j ACCEPT
# New INBOUND Connection: LDAPS Server (over SSL)
sudo iptables -A INPUT -i $EXT_DEV -m state --state NEW -m tcp -p tcp --syn --dport 993 =j ACCEPT


___________________________________
If I put these firewall settings. browsing stop. But If i use these settings without Diladele, it allows browsing ( ofcourse then proxy settings is no proxy)
If I put Diladele without firewall, it works fine. So I guess they have conflict between them.

How do I solve this.
Thanks,
Ashima.

[Raymond Norton]

Browsing stops for the local browser, or for workstations configured to use the this box as a proxy?

If this is the proxy, i am not seeing a rule allowing port 3128

[Ashima Loomba]

Hi,
Browsing stops in local browser. I need to check in workstations. I guess it stops for them too.

I thought rules allowing port 3128 is required only if we are running in transparent mode. I am running squid in non transparent mode.
If so, can you help writing the rule.

Thank you
Ashima