Hi,
For over two weeks i
am having a really headache in configuring squid
transparent/intercept.
I have tried different
options and configurations but i couldn't get it to work.
i think the problems
lies in the Iptables / NAT but i really couldn't solve it.
I have tried different
iptable rules including the intercept linuxDnat - sysctl
configuration, but didnt work.
# your proxy IP
SQUIDIP=X.X.X.X
# your proxy listening
port
SQUIDPORT=XXXX
iptables -t nat -A
PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A
PREROUTING -p tcp --dport 80 -j DNAT --to-destination
$SQUIDIP:$SQUIDPORT
iptables -t nat -A
POSTROUTING -j MASQUERADE
iptables -t mangle -A
PREROUTING -p tcp --dport $SQUIDPORT -j DROP
i have to say that
squid works well when i configure in the client browsers.
at the mikrotik side,
i am using DST-NAT chain port 80 pro TCP action DST-NAT to
address squidIP and Port
i am using ubuntu
server 15.04 using squid 3.3.8 and this is my configuration
and the errors i get:
------ eth0 WAN <----- MAIN WAN Public IP Internet
MK---|
------ eth1 LAN
|
------ eth2 Proxy
------ eth0 WAN ---> Public IP --> Internet
--> gets internet from 24online / another Mikrotik
Squid---|
------ eth1 Proxy
|
------ eth2 webmin --> For server Management
-error1: if no
intercept/transparent and no iptables is configured
-Invalid
URL - The requested url could not be retrieved
-but
if proxy is configured in the user browser - it works!
-error2:if intercept
and iptable DNAT is configured
-Access
Denied and in the access log TCP-MISS/403
-no
forward proxy port configured
-security
alert : host header forgery detected on local= SquidIP:8080
remote:mikrotikIP (local ip does not match any domain name)
-warning :
forwarding loop detected (x-Forwarded-for mikrotik lan IP)
squid.conf
acl localnet src
10.0.0.0/8 #
RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 #
http
acl Safe_ports port 21 #
ftp
acl Safe_ports port
443 # https
acl Safe_ports port 70 #
gopher
acl Safe_ports port
210 # wais
acl Safe_ports port
1025-65535 #
unregistered ports
acl Safe_ports port
280 # http-mgmt
acl Safe_ports port
488 # gss-http
acl Safe_ports port
591 # filemaker
acl Safe_ports port
777 # multiling
http
acl CONNECT method
CONNECT
http_access deny
!Safe_ports
http_access deny
CONNECT !SSL_ports
http_access allow
localhost manager
http_access deny
manager
http_access allow
localnet
http_access allow
localhost
http_access deny all
http_port 8080
http_port 8181
cache_mem 2000 MB
cache_dir ufs
/var/spool/squid3 100000 16 256
coredump_dir
/var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern
^gopher: 1440 0% 1440
refresh_pattern -i
(/cgi-bin/|\?) 0 0% 0
refresh_pattern
(Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
cache_effective_user
proxy
cache_effective_group
proxy
----------------------------------------
I am really confused,
can anyone guide me please.
Thanks in advance
