On 12/09/19 9:53 pm, sknz wrote: > Hello, > > <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377788/test.png> > > etho0 is for WAN and eth1 is for LAN side. > > and more detailed firewall settings: > > # Generated by iptables-save v1.4.21 on Thu Sep 12 15:46:58 2019 > *nat > :PREROUTING ACCEPT [3911:298328] > :INPUT ACCEPT [384:30494] > :OUTPUT ACCEPT [273:20568] > :POSTROUTING ACCEPT [13:3456] > -A PREROUTING -s 10.1.0.0/24 ! -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport > 80 -j REDIRECT --to-ports 3128 There are two suspect things about this rule. 1) the port here does not match the port 3129 you mentioned earlier as having the intercept flag. Those two must be the same. Avoiding port 3128 in these things is a good idea, it is well-known and registered for other uses. 2) the interface here is tun0, you said eth1 is your LAN side. You do not technically need the interface name in this rule, it is just an extra protection against spoofed IPs coming from the WAN. I would try without the -i option. If that works, then you can test which interface is needed to continue working when the -i is added back. > -A POSTROUTING -o eth0 -j MASQUERADE > COMMIT > # Completed on Thu Sep 12 15:46:58 2019 > # Generated by iptables-save v1.4.21 on Thu Sep 12 15:46:58 2019 > *mangle > :PREROUTING ACCEPT [10761:3310565] > :INPUT ACCEPT [3211:587384] > :FORWARD ACCEPT [6306:2611786] > :OUTPUT ACCEPT [2279:577020] > :POSTROUTING ACCEPT [5283:2937872] > -A PREROUTING -s 10.1.0.0/24 -d 10.1.0.1/32 -p tcp -m tcp --dport 3128 -j > DROP The above rule is dropping access to your proxy port 3128. Which is the forward-proxy port for clients configured properly to use the proxy, error page icons, and other things needing direct client<->proxy contact. The recommended mangle table rule to protect the proxy intercept port would be just "-A PREROUTING -p tcp -m tcp --dport 3129 -j DROP" So the proxy is protected from all traffic. Even from localhost, or outside your network. > # Completed on Thu Sep 12 15:46:58 2019 > # Generated by iptables-save v1.4.21 on Thu Sep 12 15:46:58 2019 > *filter > :INPUT ACCEPT [1989:462678] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [2279:577020] > -A INPUT -i eth1 -j DROP > -A INPUT -d 10.1.0.1/32 -i tun0 -p icmp -j ACCEPT > -A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT > -A INPUT -d 255.255.255.255/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT > -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3128 -j ACCEPT If you need this rule to get traffic to " http_port 3128", then you probably also need one for the "http_port 3129 intercept". Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
