Search squid archive

Re: 4.0.21 Ssl bump access denied

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 13/11/17 01:25, snable snable wrote:
Access.log brings for www.heise.de on https

NECT 192.168.1.222:443 <http://192.168.1.222:443> - HIER_NONE/- -
1510489280.731      2 192.168.1.200 NONE/200 0 CO
NNECT 192.168.1.222:443 <http://192.168.1.222:443> - HIER_NONE/- -
1510489280.836      1 192.168.1.200 TCP_MISS/503
4691 GET https://www.heise.de/ - ORIGINAL_DST/192
.168.1.222 text/html


ORIGINAL_DST is the server IP your system NAT tables say the client is connecting to.

So the above means the NAT system is intercepting the client at 192.168.1.200 connecting to the webserver at 192.168.1.222:443.



Am 12.11.2017 12:46 schrieb "snable snable" wrote:

        hey

        thanks:

        i post in detail

        i have an openwrt box. clients are attached there to the
        192.168.2.0/24 <http://192.168.2.0/24> network via nat. i
        attached the router as a wan device on my 192.168.1.0/24
        <http://192.168.1.0/24> with 192.168.1.254 as my internet gateway.

        i have a squidbox  with squid 4 running on ports 3128 and 3129
        and 3130.
          i forward the traffic from the openwrt via:

        iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
          --dport 80 -s 192.168.1.222
        iptables -t mangle -A PREROUTING -j MARK --set-ma
        rk 3 -p tcp --dport 80
        iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
          --dport 443 -s 192.168.1.222
        iptables -t mangle -A PREROUTING -j MARK --set-ma
        rk 3 -p tcp --dport 443
        ip rule add fwmark 3 table 2
        ip route add default via 192.168.1.222 dev eth0.2
          table 2

        on the squid box redirected it via

        iptables -A PREROUTING -t nat -i eth0 -p tcp --dp
        ort 443 -j REDIRECT --to-port 3129
        iptables -A PREROUTING -t nat -i eth0 -p tcp --dp
        ort 80 -j REDIRECT --to-port 3128


There are no rules above preventing the NAT system intercepting the Squid outbound traffic.

Please see the iptables rules documented at: <https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>.

-j ACCEPT in the *mangle* table only means iptables does not do your MARKing. It has no effect on these NAT table operations.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux