Re: Mikrotik and Squid Transparent

[Dalmar <maamule10@xxxxxxxxx>]

squid 3.3.8 and ubuntu 15.04 server

2015-06-24 15:04 GMT+03:00 Yuri Voinov <yvoinov@xxxxxxxxx>:

Squid 3.5.x?

24.06.15 18:03, Dalmar пишет:

Hi,

For over two weeks i am having a really headache in configuring squid transparent/intercept. 

I have tried different options and configurations but i couldn't get it to work.

i think the problems lies in the Iptables / NAT but i really couldn't solve it. 

I have tried different iptable rules including the intercept linuxDnat - sysctl configuration, but didnt work.

# your proxy IP

SQUIDIP=X.X.X.X

# your proxy listening port

SQUIDPORT=XXXX

iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $SQUIDIP:$SQUIDPORT

iptables -t nat -A POSTROUTING -j MASQUERADE

iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

i have to say that squid works well when i configure in the client browsers.

at the mikrotik side, i am using DST-NAT chain port 80 pro TCP action DST-NAT to address squidIP and Port

i am using ubuntu server 15.04 using squid 3.3.8 and this is my configuration and the errors i get:

                        ------ eth0 WAN <----- MAIN WAN Public IP Internet

                 MK---|

                           ------ eth1 LAN

                          |

                   ------ eth2 Proxy

                  

         ------ eth0 WAN ---> Public IP --> Internet --> gets internet from 24online / another Mikrotik

       Squid---|

                        ------ eth1 Proxy

       |

        ------ eth2 webmin --> For server Management

-error1: if no intercept/transparent and no iptables is configured

-Invalid URL -  The requested url could not be retrieved

-but if proxy is configured in the user browser - it works!

-error2:if intercept and iptable DNAT is configured 

-Access Denied and in the access log TCP-MISS/403

-no forward proxy port configured 

        -security alert : host header forgery detected on local= SquidIP:8080 remote:mikrotikIP (local ip does not match any domain name)

        -warning : forwarding loop detected (x-Forwarded-for mikrotik lan IP)

squid.conf

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager

http_access deny manager

http_access allow localnet

http_access allow localhost

http_access deny all

http_port 8080

http_port 8181

cache_mem 2000 MB

cache_dir ufs /var/spool/squid3 100000 16 256

coredump_dir /var/spool/squid3

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880

refresh_pattern . 0 20% 4320

cache_effective_user proxy

cache_effective_group proxy

----------------------------------------

I am really confused, can anyone guide me please.

Thanks in advance

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users