On 3/06/2015 1:20 a.m., Klavs Klavsen wrote: > I have this in my squid server for it to work: The key words there are ... *in my Squid server* Reet did it on the router. Which was the first mistake. The router needs routing rules (not NAT) to deliver the clients packets to Squid machine where the interception happens like below. The second mistake was http_port configuration. Squid requires two http_port lines. Port 3128 for regular proxy traffic, and another random port for interception (our how-tos use 3129). > *mangle > :PREROUTING ACCEPT [190:618576] > :INPUT ACCEPT [190:618576] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [163:41506] > :POSTROUTING ACCEPT [166:42334] > -A PREROUTING -d $myip/32 -p tcp -m multiport --dports 3129 -m comment > --comment "002 drop squid direct traffic http - we only allow captured > traffic" -j DROP > -A PREROUTING -d $myip/32 -p tcp -m multiport --dports 3130 -m comment > --comment "002 drop squid direct traffic https - we only allow captured > traffic" -j DROP > COMMIT NOTE to Klavs: loading the "multiport" kernel module seems overkill for a single-port match. > # Completed on Wed Apr 1 10:28:22 2015 > # Generated by iptables-save v1.4.21 on Wed Apr 1 10:28:22 2015 > *nat > :PREROUTING ACCEPT [1:36] > :INPUT ACCEPT [0:0] > :OUTPUT ACCEPT [30:2079] > :POSTROUTING ACCEPT [30:2079] > -A PREROUTING -s $myip/32 -p tcp -m multiport --dports 80 -m comment > --comment "000 allow squid http - so its traffic does not get captured" > -j ACCEPT > -A PREROUTING -s $myip/32 -p tcp -m multiport --dports 443 -m comment > --comment "000 allow squid https - so its traffic does not get captured" > -j ACCEPT > -A PREROUTING -p tcp -m multiport --dports 80 -m comment --comment "001 > capture http to squid" -j DNAT --to-destination $myip:3129 > -A PREROUTING -p tcp -m multiport --dports 443 -m comment --comment "001 > capture https to squid" -j DNAT --to-destination $myip:3130 > COMMIT > # Completed on Wed Apr 1 10:28:22 2015 > # Generated by iptables-save v1.4.21 on Wed Apr 1 10:28:22 2015 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [1:184] > -A INPUT -p tcp -m multiport --ports 3129 -m comment --comment "000 > allow squid http intercept" -j ACCEPT > -A INPUT -p tcp -m multiport --ports 3130 -m comment --comment "000 > allow squid https intercept" -j ACCEPT > -A INPUT -p tcp -m multiport --ports 3128 -m comment --comment "000 > allow squid proxy" -j ACCEPT > > and squid conf (mind you - squid 3.4) > ssl_bump server-first all > sslproxy_flags DONT_VERIFY_PEER > sslcrtd_children 8 startup=1 idle=1 > sslcrtd_program /usr/lib64/squid/ssl_crtd -s > /etc/ssl/certs/cache/ -M 4MB > https_port 3130 intercept ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > key=/etc/squid/ca.private cert=/etc/squid/ca.cert > shutdown_lifetime 3 > always_direct allow all > sslproxy_cert_error allow all > http_port 3129 intercept > FYI: DONT_VERIFY_PEER, "always_direct allow all", and "slproxy_cert_error allow all" have not been good ideas since 3.2. dont-verify actually inhibits the Mimic functions which give server-first bumping most of its usefulness. > Reet Vyas wrote on 06/02/2015 02:31 PM: >> I am trying to configure transparent squid proxy on ubuntu 14.04 Server >> and squid 3.3 version I am using >> >> My Lan and Wan settings >> >> eth0 Link encap:Ethernet HWaddr 00:1e:67:cf:59:74 >> inet addr:116.72.*.* Bcast:116.72.155.255 Mask:255.255.252.0 >> inet6 addr: fe80::21e:67ff:fecf:5974/64 Scope:Link >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >> RX packets:238950 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:236104 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:1000 >> RX bytes:22219047 (22.2 MB) TX bytes:17390502 (17.3 MB) >> Interrupt:16 Memory:d0a00000-d0a20000 >> >> eth1 Link encap:Ethernet HWaddr 00:1e:67:cf:59:75 >> inet addr:192.168.0.200 Bcast:192.168.0.255 >> Mask:255.255.255.0 >> inet6 addr: fe80::21e:67ff:fecf:5975/64 Scope:Link >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >> RX packets:96965 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:11785 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:1000 >> RX bytes:10764615 (10.7 MB) TX bytes:7151763 (7.1 MB) >> Interrupt:17 Memory:d0900000-d0920000 Er, thems not settings. Thems traffic statistics. Not that it matters, but give these a try: ip addr show ip -4 route show ip -6 route show >> >> my squid.conf file >> >> acl mynet src 116.72.152.37 192.168.0.0/16 <http://192.168.0.0/16> # >> RFC1918 possible internal network >> acl SSL_ports port 443 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl CONNECT method CONNECT >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localhost manager >> http_access deny manager >> http_access allow mynet >> http_access allow localhost >> http_access allow all >> http_port 3128 One listening port setup to receive explicit proxy traffic (ie from a maually configured browser). ... missing an intercept port. >> cache_dir ufs /usr/local/cache 10000 16 256 >> coredump_dir /var/spool/squid3 >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 >> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200 >> refresh_pattern . 0 20% 4320 >> >> >> but when I use 192.168.0.200 in my client machine as gateway ... >> internet is not working and I cant see logs in access.log >> >> But when I use this IP in my browser it is working and showing logs but >> with my tplink router gateway i.e 192.168.0.1. >> >> IPTable rules : >> num target prot opt source destination >> 1 DNAT tcp -- anywhere anywhere tcp >> dpt:http to:192.168.0.200:3128 <http://192.168.0.200:3128> >> 2 REDIRECT tcp -- anywhere anywhere tcp >> dpt:http redir ports 3128 >> >> Chain INPUT (policy ACCEPT) >> num target prot opt source destination >> >> Chain OUTPUT (policy ACCEPT) >> num target prot opt source destination >> >> Chain POSTROUTING (policy ACCEPT) >> num target prot opt source destination >> >> >> Please tell me what I am missing in IPtables and squid3 configuration . >> I tried both transparent as well as intercept option but I think I have >> issue with iptables or may be configuration issue. >> see the wiki page(s): One of these two configs on the router: <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute> This one on the Squid box: <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect> Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
