Search squid archive

Re: Squid Transparent Proxy not work

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



duren duren wrote:
i have server running squid (transparent proxy) in
Ubuntu linux server (squid installed using apt-get)
this server have two interfaces, eth0 to internet &
eth1 to LAN

this is my squid.conf

## --- squid.conf -----
http_port 192.168.10.1:3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_vary on
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 8 MB
cache_swap_low 98
cache_swap_high 99
maximum_object_size 51200 KB
minimum_object_size 0 KB
ipcache_size 2048
ipcache_low 98
ipcache_high 99
fqdncache_size 2048
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_dir ufs /var/spool/squid 5000 18 256
access_log /var/log/squid/access.log squid
cache_log /dev/null
cache_store_log /dev/null
emulate_httpd_log off
log_ip_on_direct on
mime_table /usr/share/squid/mime.conf
log_mime_hdrs off
pid_filename /var/run/squid.pid
log_fqdn off
ftp_user admin@server
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
hosts_file /etc/hosts
refresh_pattern ^ftp:      1440   20%   10080
refresh_pattern ^gopher:   1440   0%   1440
refresh_pattern .      0   20%   4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443      # https
acl SSL_ports port 563      # snews
acl SSL_ports port 873      # rsync
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443      # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210      # wais
acl Safe_ports port 1025-65535   # unregistered ports
acl Safe_ports port 280      # http-mgmt
acl Safe_ports port 488      # gss-http
acl Safe_ports port 591      # filemaker
acl Safe_ports port 777      # multiling http
acl Safe_ports port 631      # cups
acl Safe_ports port 873      # rsync
acl Safe_ports port 901      # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

## Client IP Address
acl client01 src 192.168.10.11/32
acl client02 src 192.168.10.12/32

## Client MAC Address
acl client01-mac arp 00:16:17:BB:2B:AF
acl client02-mac arp 00:1A:4D:44:F5:2E

# user01
http_access allow client01 client01-mac
http_access deny client01 !client01-mac
# user02
http_access allow client02 client02-mac
http_access deny client02 !client02-mac

http_access allow localhost
http_access deny all
icp_access allow all
cache_mgr admin@server
cache_effective_user proxy
cache_effective_group proxy
visible_hostname Proxy.server
always_direct allow all
coredump_dir /var/spool/squid
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
store_dir_select_algorithm round-robin
## ---- end of squid.conf ----


and this is my iptables for squid transparent

#### USER 1
$IPT -A PREROUTING -t nat -i $LAN -s $USER1 -m mac
--mac-source $MAC_USER1 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -s $USER1 -p tcp
--dport 80 -j REDIRECT --to-port 3128
$IPT -A PREROUTING -t nat -i $LAN -s ! $USER1 -m mac
--mac-source $MAC_USER1 -j DROP


Well, thats broken.
To see what its doing go:
  iptables -t nat -L PREROUTING -v
I expect the REDIRECT counters are all '0'.
Because anything that comes in from user1 gets accepted before the REDIRECT. I think line 2 and 1 should be reversed.

#### USER 2
$IPT -A PREROUTING -t nat -i $LAN -s $USER2 -m mac
--mac-source $MAC_USER2 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -s $USER2 -p tcp
--dport 80 -j REDIRECT --to-port 3128
$IPT -A PREROUTING -t nat -i $LAN -s ! $USER2 -m mac
--mac-source $MAC_USER2 -j DROP

$IPT -A FORWARD -i $LAN -s $USER1 -m mac --mac-source
$MAC_USER1 -j ACCEPT
$IPT -A FORWARD -i $LAN -s ! $USER1 -m mac
--mac-source $MAC_USER1 -j DROP
$IPT -A FORWARD -i $LAN -s $USER2 -m mac --mac-source
$MAC_USER2 -j ACCEPT
$IPT -A FORWARD -i $LAN -s ! $USER2 -m mac
--mac-source $MAC_USER2 -j DROP

$IPT -t nat -A POSTROUTING -o $INTERNET -s $USER1 -j
MASQUERADE
$IPT -t nat -A POSTROUTING -o $INTERNET -s $USER2 -j
MASQUERADE



when i look into /var/log/squid/access.log, i can
found client access squid.
if client setting browser using proxy into
192.168.1.10, i can see client in
/var/log/squid/access.log

what wrong with my squid.conf or iptables rules?
why transparent proxy not working, & why client must
setting using proxy in their browser if the want using
proxy?

see note above on iptables rules.
Second, do you have arp-relay enabled on your network or are the clients directly connected? Without arp-relay squid will only see the MAC address of the router/bridging device that connects to the squid box. Your IP and MAC rules may be redundant.

Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux