Hello again! Thank you for your support. I am a little bit frustrated but I managed to test it again. Long story short, I tried every combination from the suggested links to no avail. For the router I did the following as suggested: ( I tried using lan, br-lan, eth0, eth0.1 as the nic's name because it is not obvious to me which one is the correct.) ################################################################ # permit Squid box out to the Internet iptables -t mangle -A PREROUTING -p tcp --dport 80 -s 192.168.1.20 -j ACCEPT # mark everything else on port 80 to be routed to the Squid box iptables -t mangle -A PREROUTING -i lan -p tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT # NP: Ensure that traffic from inside the network is allowed to loop back inside again. iptables -t filter -A FORWARD -i lan -o lan -p tcp --dport 80 -j ACCEPT echo "201 proxy" >> /etc/iproute2/rt_tables ip rule add fwmark 2 table proxy ip route add default via 192.168.1.20 table proxy ################################################################# For the squid server I did both of the following ( with a service networking restart between them ) ################################################################# # your proxy IP SQUIDIP=192.168.1.20 # your proxy listening port SQUIDPORT=3128 iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT iptables -t nat -A POSTROUTING -j MASQUERADE iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP ################################################################# And the next trial ################################################################# # your proxy IP SQUIDIP=192.168.1.20 # your proxy listening port SQUIDPORT=3128 sudo iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $SQUIDIP:$SQUIDPORT sudo iptables -t nat -A POSTROUTING -j MASQUERADE sudo iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP # Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 0 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 ################################################################# I kept getting connection refused ( no squid message) on the browser and I had nothing in the access logs. tcpdump on port 3128 showed nothing. Thank you again! Spyros On 18/2/2014 10:30 μμ, Niki Gorchilov wrote: > Second NIC is unnecessary. > > Better go the way Amos suggested - do a policy based routing on > OpenWRT (http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute) > and traffic interception on Linux > (http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat or > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect). > > Best, > Niki > > On Tue, Feb 18, 2014 at 9:22 PM, Spyros Vlachos <spyros86@xxxxxxxxx> wrote: >> I checked out your suggestions but I keep getting the same error... >> I will buy a second nic and make my setup simpler. >> Thank you! >> >> On 18/2/2014 3:05 πμ, Spyros Vlachos wrote: >> >> Thank you very much! I'll try the things you suggested. >> >> Spyros Vlachos >> >> >> On 18 Φεβ 2014, at 2:16 π.μ., Nikolai Gorchilov <niki@xxxxxxxx> wrote: >> >> Hi Spyros, >> >> Seems you're experiencing request loops, that are unrelated to your ACLs >> >> Looking at the logs, we can clearly see pairs of requests for same >> url. Like this: >> 1392590890.301 0 192.168.1.20 TCP_MISS/403 4158 GET >> http://www.tvxs.gr/ - HIER_NONE/- text/html >> 1392590890.302 1 192.168.1.1 TCP_MISS/403 4263 GET >> http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html >> >> As the logging happens at the end of transaction, records are ordered >> by finish time, not start. They actually started in reverse order: >> 1. First came the request from 192.168.1.1 for http://www.tvxs.gr/. >> 2. As it was considered a MISS, your Squid decided to go directly to >> the destination server (thus hierarchy code HIER_DIRECT) >> 3. PROBLEM! PROBLEM! Surprisingly, Squid resolves www.tvxs.gr as >> 192.168.1.20 and fires the request towards this IP! >> 4. Boom! This is how the same request arrives again, this time from >> source IP 192.168.1.20 (Squid itself). We have a loop! >> 5. Squid detects the loop (something like "WARNING: Forwarding loop >> detected" in cache.log) and generates internal error response like >> HTTP/403 Forbidden, using ERR_ACCESS_DENIED or alike. Thus hierarchy >> code is HIER_NONE. >> 6. The error returns in the first instance of this request after 1ms, >> and Squid returns it to the original caller (TCP_MISS/403). >> >> I don't have clear idea what is the root cause of the loop, but I'd do: >> 1. make http_port 192.168.1.20:3128 intercept >> 2. study carefully DNS settings of both Ubuntu and OpenWRT: >> - /etc/resolv.conf >> - iptables: DNS interceptions and redirections (UDP & TCP port 53) >> - change with other public DNS services >> - tcpdump as much as possible ;-) >> >> Hope this helps! >> >> Best, >> Niki >> >> On Tue, Feb 18, 2014 at 12:05 AM, Spyros Vlachos <spyros86@xxxxxxxxx> wrote: >> Hello! Sorry but I am new to this list and I don't know if I have sent >> the mail correctly and iff anyone can see this. Is this the case? >> Sorry and thank you! >> >> On Mon, Feb 17, 2014 at 2:24 PM, Spyros Vlachos <spyros86@xxxxxxxxx> wrote: >> Hello! Thank you in advance for your help. >> I have a fairly simple home network setup. >> I have a modem (192.168.2.254) that connects to the internet. >> Connected to that modem through its own wan port >> I have an openwrt router (192.168.1.1). My internal network is the >> 192.168.1.0/24 one. On the router I have connected >> an ubuntu 13.10 box (192.168.1.20) that acts as a squid proxy and dns >> among other things. The ubuntu box has one network card. >> I had successfully installed a transparent squid proxy by using DNAT >> and SNAT on the router using the 12.04 version of ubuntu. >> Because of some problems with my ups I tried to install ubuntu 13.10 >> which solved the ups problem but also >> upgraded the squid package to 3.3.8 from 3.1.something . My squid >> configuration is as follows: >> >> #--Squid server >> 192.168.1.20--------------------------------------------------- >> acl localnet src 192.168.1.0/24 >> acl SSL_ports port 443 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl squid-prime dstdomain "/etc/squid3/squid-prime.acl" >> acl CONNECT method CONNECT >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localhost manager >> http_access deny manager >> http_access deny squid-prime >> http_access allow localnet >> http_access allow localhost >> http_access deny all >> http_port 3128 #HAVE tried transparent and intercept but the problem >> persists >> coredump_dir /var/spool/squid3 >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 >> refresh_pattern . 0 20% 4320 >> dns_nameservers 8.8.8.8 #have tried to use the local dns 127.0.0.1 but >> the same problem >> #------------------------------------------------------- >> >> I have tried disabling the dns server of ubuntu because I have heard >> of some problem it can cause to squid. >> >> My router (192.168.1.1) SNAT DNAT configuration is (openwrt luci gui) >> 1) MATCH: From IP not 192.168.1.20 in lan Via any router IP at port 80 >> FORWARD TO: IP 192.168.1.20, port 3128 in lan >> 2)MATCH: From any host in lan To IP 192.168.1.20, port 3128 in lan >> Rewrite to source IP 192.168.1.1 >> >> The error I get by using the above configurations is a constant Access >> denied Error in the browser and in the >> squid access log is >> #--------------------------------------------------------------------- >> 92 0 192.168.1.20 TCP_MISS/403 4088 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html >> 1392590851.593 1 192.168.1.1 TCP_MISS/403 4193 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20 >> text/html >> 1392590856.653 0 192.168.1.20 TCP_MISS/403 4088 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html >> 1392590856.653 1 192.168.1.1 TCP_MISS/403 4193 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20 >> text/html >> 1392590861.742 0 192.168.1.20 TCP_MISS/403 4088 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html >> 1392590861.742 1 192.168.1.1 TCP_MISS/403 4193 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20 >> text/html >> 1392590866.878 0 192.168.1.20 TCP_MISS/403 4088 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html >> 1392590866.878 26 192.168.1.1 TCP_MISS/403 4193 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20 >> text/html >> 1392590871.903 0 192.168.1.20 TCP_MISS/403 4088 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html >> 1392590871.903 1 192.168.1.1 TCP_MISS/403 4193 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20 >> text/html >> 1392590876.893 0 192.168.1.20 TCP_MISS/403 3985 GET >> http://notify7.dropbox.com/subscribe? - HIER_NONE/- text/html >> 1392590876.893 1 192.168.1.1 TCP_MISS/403 4090 GET >> http://notify7.dropbox.com/subscribe? - HIER_DIRECT/192.168.1.20 >> text/html >> 1392590876.992 0 192.168.1.20 TCP_MISS/403 4088 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html >> 1392590876.993 1 192.168.1.1 TCP_MISS/403 4193 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20 >> text/html >> 1392590878.600 0 192.168.1.20 TCP_MISS/403 4390 POST >> http://safebrowsing.clients.google.com/safebrowsing/downloads? - >> HIER_NONE/- text/html >> 1392590878.601 26 192.168.1.1 TCP_MISS/403 4495 POST >> http://safebrowsing.clients.google.com/safebrowsing/downloads? - >> HIER_DIRECT/192.168.1.20 text/html >> 1392590882.093 0 192.168.1.20 TCP_MISS/403 4088 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html >> 1392590882.093 1 192.168.1.1 TCP_MISS/403 4193 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20 >> text/html >> 1392590887.153 0 192.168.1.20 TCP_MISS/403 4088 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html >> 1392590887.153 1 192.168.1.1 TCP_MISS/403 4193 GET >> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20 >> text/html >> 1392590889.524 0 192.168.1.20 TCP_MISS/403 4158 GET >> http://www.tvxs.gr/ - HIER_NONE/- text/html >> 1392590889.525 79 192.168.1.1 TCP_MISS/403 4263 GET >> http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html >> 1392590890.301 0 192.168.1.20 TCP_MISS/403 4158 GET >> http://www.tvxs.gr/ - HIER_NONE/- text/html >> 1392590890.302 1 192.168.1.1 TCP_MISS/403 4263 GET >> http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html >> #---------------------------------------------------------------------------------------------------- >> >> >> >> Thank you in advance! >> >> >> >> -- >> Spyros Vlachos. >> >> >> -- >> Spyros Vlachos. >> >> >> -- >> Spyros Vlachos -- *Spyros Vlachos*
