On Sunday 21 February 2016 at 12:56:03, secoonder wrote:
> My Firewall eth0: 192.168.1.180
> eth1:192.168.2.180
I'm guessing that eth0 is your route to the Internet, and eth1 points towards
the clients trying to use Squid?
> ip_forwarding enable and more /proc/sys/net/ipv4/ip_forward =1
> iptables -t nat -A POSTROUTING -s 192.168.5.0/255.255.255.0 -o eth0 -j
> MASQUERADE
So, there's at least one more router (connecting 192.168.2.180 to
192.168.5.0/24) between the clients and Squid...?
> This is no problem above it.The cilents could connect internet.
You mean, they can connect directly without using Squid at all. Okay, so
network routing is working, at least.
> And then i install squid 3.2.11.
Why? That's nearly 3 years old - it dates from April 2013.
> i added iptables -t nat -A PREROUTING -i eth1-p tcp --dport 80 -j REDIRECT
> --to-ports 3128 and save it.
Okay, so you are correctly doing the NAT on the machine running Squid.
Just out of interest, which distribution of Linux are you running on this
machine, and which version of it?
> i redirect succesfully 80 port.i see it at tailf /var/log/squid3/access.log
Please show us what gets logged in access.log when a client tries to connect,
and make sure you tell us what they were trying to connect to.
Also, it would be a good idea to make sure that Squid itself is working before
trying to add the interception - configure one client to explicitly use the
proxy on IP 192.168.2.180, and make some requests from that client and make
sure both that they work, and they show up in Squid's access.log.
> But clients can not internet .
> My squid3 -k parse...
Please show us your squid.conf file without comments or blank lines.
> 2016/02/21 14:20:56| Processing: http_port 3128 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> key=/etc/mydlp/ssl/private.pem cert=/etc/mydlp/ssl/public.pem
I strongly recommend that you keep things simple and avoid any SSL bumping
until the basics are working. Let's get HTTP intercept working first, and then
you can think about SSL later (oh, and by the way, I saw no NAT rule to
incercept SSL traffic on port 443 earlier, so I strongly suspect there's nothing
to get bumped anyway, unless you have explicit proxy configuration in your
clients).
Regards,
Antony.
--
"In fact I wanted to be John Cleese and it took me some time to realise that
the job was already taken."
- Douglas Adams
Please reply to the list;
please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
