Search squid archive

Re: intercept vs. accel vhost allow-direct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 13.09.19 03:12, sknz wrote:
For clarification, I'm running an AP-Hotspot server(coovachilli, freeradius,
squid, etc.) with two NIC(eth0 and eth1). eth0 is for WAN(internet) and eth1
is for managing LAN(APs). Coovachilli is created tun0 under the eth1
interface. I'm using squid-3.4.8 as an HTTP transparent proxy.

you still don't accept nor NAT connections from eth0 to port 80 in the world.

you only do that with tunneled connections.

# This is my updated squid.conf as your suggestion, 3129 for forward-proxy
and 3130 for intercepting HTTP:
http_port 3129
http_port 3130 intercept

I really wonder why didn't you keep 3128 for forward proxy as before.
People using explicit proxy on port 3128 wouldn't have to change it.

The intercepting port doesn't matter much, because it's only between
firewall/NAT and squid, users won't see it.

I've tried removing all "-i" options and updating mangle rules as your
suggestion from iptables; no effects on it. I've opened intercept port also.
This is my original iptables with adjusted rules:

#nat
-A PREROUTING -s 10.1.0.0/24 ! -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport
80 -j REDIRECT --to-ports 3130    #redirect http to squid intercept port
-A POSTROUTING -o eth0 -j MASQUERADE

#mangle
-A PREROUTING -s 10.1.0.0/24 -d 10.1.0.1/32 -p tcp -m tcp --dport 3130 -j
DROP    #drop direct attempts to proxy intercept port

don't you drop all connections that should be natted to 3130 here?
Try dropping this rule.

-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu

#filters
-A INPUT -i eth1 -j DROP

I wonder you can communicate with LAN at all, when you drop anyting coming from it.

-A INPUT -d 10.1.0.1/32 -i tun0 -p icmp -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 255.255.255.255/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3130 -j ACCEPT
#squid intercept
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3129 -j ACCEPT
#squid forward
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
#chilli controller
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 2812 -j ACCEPT #
freeradius
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 443 -j ACCEPT    #
https
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT    #http
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 4990 -j ACCEPT
#hotspot UAM
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -j DROP
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i tun0 ! -o eth0 -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o eth1 -j DROP
-A FORWARD -i eth1 -j DROP

--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux