On 18/02/2013 2:47 p.m., Ghassan Gharabli wrote:
Hello, Ive been trying to solve this problem for the past three days but wasnt successfull. I want to setup an interception proxy with DNAT. SQUID ---> MIKROTIK Router ----> CLIENT PC Squid Configure Options: --enable-ssl --enable-ssl-crtd --enable-icap-client --with-filedescriptors=8192 --enable-ltdl-convenience MY Squid config : ----------------------- # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost http_access allow localnet http_access allow localhost http_access deny all http_port 0.0.0.0:8080 http_port 0.0.0.0:3128 intercept #http_port 192.168.10.4:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/ssl_cert/myCA.pem #https_port 192.168.10.4:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/ssl_cert/myCA.pem cache_dir ufs /usr/local/squid/var/cache/squid 10000 16 256 # Leave coredumps in the first cache dir coredump_dir /usr/local/squid/var/cache/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 always_direct allow all acl broken_sites dstdomain .example.com ssl_bump none localhost ssl_bump none broken_sites ssl_bump server-first sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslproxy_cert_adapt setCommonName #sslproxy_cert_sign signTrusted sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 10MB sslcrtd_children 5 forwarded_for transparent #visible_hostname cache2.skydsl.net #offline_mode on maximum_object_size 100000 KB ERROR I AM GETTING : ---------------------------------- The following error was encountered while trying to retrieve the URL: http://www.cnn.com/ Connection to 192.168.10.4 failed. The system returned: (111) Connection refused The remote host or network may be down. Please try the request again. ---------------------------------- I tried everything was mentioned at http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat [root@cache2 ~] # iptables -t nat --list rules -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -A PREROUTING -s 192.168.10.4/32 -p tcp -m tcp --dport 80 -j ACCEPT -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128 -A POSTROUTING -j MASQUERADE [root@cache2 ~] # iptables -t mangle --list-rules -P PREROUTING ACCEPT -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -A PREROUTING -s 192.168.10.4/32 -p tcp -m tcp --dport 80 -j ACCEPT What do you think the problem might be?
Those settings are correct for Squid and the Squid box iptables. So the problem is being introduced elsewhere ...
... something along the route between client and Squid box is setting the cnn.com destination IP address to 192.168.10.4.
The Mikrotik doing DNAT? Some DNS forgery sending teh client to that IP directly? (dnsmasq) Amos