On 21/07/17 07:07, erdosain9 wrote:
Hi, and thank you all.
Well this is the diagram.
INTERNET
+
+
FIREWALL (10.1.158.1/24)
+
+
+
SQUID (2 interfaces) 10.1.158.2/24
192.168.1.20/24
This machine called SQUID need to be configured as a router.
You mentioned the GW route for the device below, but what are the two GW
routes (10/8 gw ??? , and 192.168/16 gw ???) this SQUID machine should have?
+
+
ROUTERWIFI( WAN----static ip 192.168.1.40/24 gw 192.168.1.20) LAN
192.168.0.1/24)
That looks okay.
But double-check that this machine is *NOT* performing NAT on any of the
outgoing packets sent to 192.168.1.20.
squid config:
acl red1 src 192.168.1.0/24
That permits the ROUTERWIFI machine to send traffic from itself (only)
to Squid. Such traffic should be an extreme rarity - usually just you
testing HTTP connectivity from that machine manually.
This Squid should be expecting to receive traffic from 192.168.0.0/24
machines. If you do not change this I expect you will start to see
DENIED lines being logged by Squid when you fix the packet arrival problem.
acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 20000
acl SSL_ports port 10000
acl SSL_ports port 2083
acl Safe_ports port 631 # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 8443 # httpsalt
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080 # edesur y otros
NP: those 8080 and 8443 are included in the 1025-65535 entry above.
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow red1
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 192.168.1.20:3128
http_port 192.168.1.20:3129 intercept
You should not have to specify any IP address here.
eg.
http_port 3128
http_port 3129 intercept
Squid will then be able to receive the NAT'd traffic no matter what
system NAT rules contain.
...
#Your refresh_pattern
refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
ignore-private
NP: ignore-no-cache is no longer existing.
SECURITY WARNING: using ignore-no-store for images will cache Captcha
images, user avatar icons, personal content from private accounts (think
snapchat and facebook photos type of stuff).
ignore-private is not so bad in the latest Squid releases as it used
to be, but it will not cause much of a HIT ratio increase over default
behaviour either.
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
dns_nameservers 8.8.8.8 8.8.4.4
Use of 8.8.8.8 and 8.8.4.4 in a Squid which is intercepting traffic
causes a lot of problems - mostly in the form of "Host verify" security
alerts and major reduction in HTTP traffic caching.
To work around those problems you need a local DNS server which both
your client machines and Squid use for recursive resolving. That DNS
server can use 8.8.8.8 and 8.8.4.4 as its upstream forwarders if you
actually still need it - having your own local resolver pretty much
obsoletes all the benefits 8.8.8.8 claim to provide.
-----------------------------------------------------------------------
I probe this, nothing work..............
---------------------------------------------------------------------------------------------------------------------------------------------
iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
192.168.1.20:3129
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP
------------------------------------------------------------------------------------------------------------------------------------------------
iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP
-----------------------------------------------------------------------------------------------------------------------------------------------
Both of those look fine for the NAT rules on SQUID box - they only do
the NAT part, not any of the packet routing.
The problem I think is in the routing setup on the SQUID machine, and
maybe the ROUTERWIFI.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users