Squid transparent proxy with one nic access denied problem.

Spyros Vlachos <spyros86@xxxxxxxxx> · Mon, 17 Feb 2014 14:24:48 +0200

Hello! Thank you in advance for your help.
I have a fairly simple home network setup.
I have a modem (192.168.2.254) that connects to the internet.
Connected to that modem through its own wan port
I have an openwrt router (192.168.1.1). My internal network is the
192.168.1.0/24 one. On the router I have connected
an ubuntu 13.10 box (192.168.1.20) that acts as a squid proxy and dns
among other things. The ubuntu box has one network card.
I had successfully  installed a transparent squid proxy by using DNAT
and SNAT on the router using the 12.04 version of ubuntu.
Because of some problems with my ups I tried to install ubuntu 13.10
which solved the ups problem but also
upgraded the squid package to 3.3.8 from 3.1.something . My squid
configuration is as follows:

#--Squid server 192.168.1.20---------------------------------------------------
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl squid-prime dstdomain "/etc/squid3/squid-prime.acl"
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny squid-prime
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128  #HAVE tried transparent and intercept but the problem persists
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320
dns_nameservers 8.8.8.8 #have tried to use the local dns 127.0.0.1 but
the same problem
#-------------------------------------------------------

I have tried disabling the dns server of ubuntu because I have heard
of some problem it can cause to squid.

My router (192.168.1.1) SNAT DNAT configuration is (openwrt luci gui)
1) MATCH: From IP not 192.168.1.20 in lan Via any router IP at port 80
FORWARD TO: IP 192.168.1.20, port 3128 in lan
2)MATCH: From any host in lan To IP 192.168.1.20, port 3128 in lan
    Rewrite to source IP 192.168.1.1

The error I get by using the above configurations is a constant Access
denied Error in the browser and in the
squid access log is
#---------------------------------------------------------------------
92      0 192.168.1.20 TCP_MISS/403 4088 GET
http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
1392590851.593      1 192.168.1.1 TCP_MISS/403 4193 GET
http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
text/html
1392590856.653      0 192.168.1.20 TCP_MISS/403 4088 GET
http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
1392590856.653      1 192.168.1.1 TCP_MISS/403 4193 GET
http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
text/html
1392590861.742      0 192.168.1.20 TCP_MISS/403 4088 GET
http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
1392590861.742      1 192.168.1.1 TCP_MISS/403 4193 GET
http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
text/html
1392590866.878      0 192.168.1.20 TCP_MISS/403 4088 GET
http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
1392590866.878     26 192.168.1.1 TCP_MISS/403 4193 GET
http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
text/html
1392590871.903      0 192.168.1.20 TCP_MISS/403 4088 GET
http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
1392590871.903      1 192.168.1.1 TCP_MISS/403 4193 GET
http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
text/html
1392590876.893      0 192.168.1.20 TCP_MISS/403 3985 GET
http://notify7.dropbox.com/subscribe? - HIER_NONE/- text/html
1392590876.893      1 192.168.1.1 TCP_MISS/403 4090 GET
http://notify7.dropbox.com/subscribe? - HIER_DIRECT/192.168.1.20
text/html
1392590876.992      0 192.168.1.20 TCP_MISS/403 4088 GET
http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
1392590876.993      1 192.168.1.1 TCP_MISS/403 4193 GET
http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
text/html
1392590878.600      0 192.168.1.20 TCP_MISS/403 4390 POST
http://safebrowsing.clients.google.com/safebrowsing/downloads? -
HIER_NONE/- text/html
1392590878.601     26 192.168.1.1 TCP_MISS/403 4495 POST
http://safebrowsing.clients.google.com/safebrowsing/downloads? -
HIER_DIRECT/192.168.1.20 text/html
1392590882.093      0 192.168.1.20 TCP_MISS/403 4088 GET
http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
1392590882.093      1 192.168.1.1 TCP_MISS/403 4193 GET
http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
text/html
1392590887.153      0 192.168.1.20 TCP_MISS/403 4088 GET
http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
1392590887.153      1 192.168.1.1 TCP_MISS/403 4193 GET
http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
text/html
1392590889.524      0 192.168.1.20 TCP_MISS/403 4158 GET
http://www.tvxs.gr/ - HIER_NONE/- text/html
1392590889.525     79 192.168.1.1 TCP_MISS/403 4263 GET
http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html
1392590890.301      0 192.168.1.20 TCP_MISS/403 4158 GET
http://www.tvxs.gr/ - HIER_NONE/- text/html
1392590890.302      1 192.168.1.1 TCP_MISS/403 4263 GET
http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html
#----------------------------------------------------------------------------------------------------

Thank you in advance!

-- 
Spyros Vlachos.