Hai, I'm having a squid 4.10 on Debian 10 running ( with strongswan VPN ) and ufw firewall (iptables) Most is running fine but i still see some error and i somehow miss here what im doing wrong. So if someone has suggestions that would be great. I see for example these lines in the UFW log. Feb 10 15:42:21 rtd-proxy1 kernel: [14315.762249] [UFW AUDIT INVALID] IN=eth0 OUT= MAC=56:30:b7:fd:da:24:84:2b:2b:90:a5:f1:08:00 SRC=192.168.0.101 DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=22171 DF PROTO=TCP SPT=52273 DPT=8080 WINDOW=0 RES=0x00 ACK RST URGP=0 Feb 10 15:42:21 rtd-proxy1 kernel: [14315.762308] [UFW BLOCK] IN=eth0 OUT= MAC=56:30:b7:fd:da:24:84:2b:2b:90:a5:f1:08:00 SRC=192.168.0.101 DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=22171 DF PROTO=TCP SPT=52273 DPT=8080 WINDOW=0 RES=0x00 ACK RST URGP=0 Now, strange thing here is im allowing my traffic on my lan interface fully, so i dont see/get why i get these INVALID/BLOCK. Im out of ideas, i looked to much at it, i done see it anymore.. :-( The needed parts of my squid and iptables (ufw) setup. ETH0 = LAN 192.168.0.1.0/24 (ip: 192.168.0.1.1/24 ) ETH1 = WAN 1.2.4.4/32 The squid part # From squid cache.log the needed lines from a start of squid with the lines from squid.conf # http_port localhost:3128 connection-auth=off 2020/02/10 11:44:13 kid1| Accepting HTTP Socket connections at local=[::1]:3128 remote=[::] FD 17 flags=1 # all requests for and on loclhost are trusted, so fully allowed withouth authenticationn. # http_port 192.168.249.221:3128 intercept ( no-authentication possbible on intercept ) 2020/02/10 11:44:13 kid1| Accepting NAT intercepted HTTP Socket connections at local=192.168.0.1.1:3128 remote=[::] FD 21 flags=33 # https_port 192.168.249.221:3129 intercept ssl-bump \ .. (plus the cert - key parts, not relevant this works ). 2020/02/10 11:44:13 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=192.168.0.1.1:3129 remote=[::] FD 25 flags=33 # Non-proxy aware (with authentication) # http_port 192.168.249.221:8080 2020/02/10 11:44:13 kid1| Accepting HTTP Socket connections at local=192.168.0.1.1:8080 remote=[::] FD 29 flags=1 # http_port 192.168.249.221:8081 ssl-bump \ .. (plus the cert - key parts, not relevant this works ). 2020/02/10 11:44:13 kid1| Accepting SSL bumped HTTP Socket connections at local=192.168.0.1.1:8081 remote=[::] FD 37 flags=1 # Generated by xtables-save v1.8.2 on Mon Feb 10 15:16:26 2020 *filter :INPUT DROP [213:54000] :FORWARD ACCEPT [704:28436] :OUTPUT ACCEPT [57:19155] :ufw-before-logging-input - [0:0] :ufw-before-logging-output - [0:0] :ufw-before-logging-forward - [0:0] :ufw-before-input - [0:0] :ufw-before-output - [0:0] :ufw-before-forward - [0:0] :ufw-after-input - [0:0] :ufw-after-output - [0:0] :ufw-after-forward - [0:0] :ufw-after-logging-input - [0:0] :ufw-after-logging-output - [0:0] :ufw-after-logging-forward - [0:0] :ufw-reject-input - [0:0] :ufw-reject-output - [0:0] :ufw-reject-forward - [0:0] :ufw-track-input - [0:0] :ufw-track-output - [0:0] :ufw-track-forward - [0:0] :ufw-logging-deny - [0:0] :ufw-logging-allow - [0:0] :ufw-skip-to-policy-input - [0:0] :ufw-skip-to-policy-output - [0:0] :ufw-skip-to-policy-forward - [0:0] :ufw-not-local - [0:0] :ufw-user-input - [0:0] :ufw-user-output - [0:0] :ufw-user-forward - [0:0] :ufw-user-logging-input - [0:0] :ufw-user-logging-output - [0:0] :ufw-user-logging-forward - [0:0] :ufw-user-limit - [0:0] :ufw-user-limit-accept - [0:0] -A INPUT -j ufw-before-logging-input -A INPUT -j ufw-before-input -A INPUT -j ufw-after-input -A INPUT -j ufw-after-logging-input -A INPUT -j ufw-reject-input -A INPUT -j ufw-track-input -A FORWARD -s 10.1.2.00/24 -d 192.168.0.1.0/24 -i eth1 -m policy --dir in --pol ipsec --reqid 8 --proto esp -j ACCEPT -A FORWARD -s 192.168.0.1.0/24 -d 10.1.2.00/24 -o eth1 -m policy --dir out --pol ipsec --reqid 8 --proto esp -j ACCEPT -A FORWARD -j ufw-before-logging-forward -A FORWARD -j ufw-before-forward -A FORWARD -j ufw-after-forward -A FORWARD -j ufw-after-logging-forward -A FORWARD -j ufw-reject-forward -A FORWARD -j ufw-track-forward -A OUTPUT -j ufw-before-logging-output -A OUTPUT -j ufw-before-output -A OUTPUT -j ufw-after-output -A OUTPUT -j ufw-after-logging-output -A OUTPUT -j ufw-reject-output -A OUTPUT -j ufw-track-output -A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " -A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " -A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] " -A ufw-before-input -i lo -j ACCEPT -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny -A ufw-before-input -m conntrack --ctstate INVALID -j DROP -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A ufw-before-input -j ufw-not-local -A ufw-before-input -j ufw-user-input -A ufw-before-output -o lo -j ACCEPT -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-output -j ufw-user-output -A ufw-before-forward -s 192.168.0.1.0/24 -m policy --dir in --pol ipsec --proto esp -m comment --comment "IN Strongswan-IpsecPol" -j ACCEPT -A ufw-before-forward -d 192.168.0.1.0/24 -m policy --dir out --pol ipsec --proto esp -m comment --comment "OUT Strongswan-IpsecPol" -j ACCEPT -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT -A ufw-before-forward -j ufw-user-forward -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT -A ufw-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT -A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] " -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " -A ufw-skip-to-policy-input -j DROP -A ufw-skip-to-policy-output -j ACCEPT -A ufw-skip-to-policy-forward -j ACCEPT -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN -A ufw-user-input -s 192.168.0.1.0/24 -j ACCEPT -A ufw-user-input -i eth1 -p udp -m multiport --dports 500,4500 -j ACCEPT -A ufw-user-input -d 1.2.4.4/32 -i eth1 -p esp -j ACCEPT -A ufw-user-input -d 1.2.4.4/32 -i eth1 -p ah -j ACCEPT -A ufw-user-input -i eth0 -p udp -m multiport --dports 80,443 -j DROP -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] " -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable -A ufw-user-limit-accept -j ACCEPT COMMIT # Completed on Mon Feb 10 15:16:26 2020 # Generated by xtables-save v1.8.2 on Mon Feb 10 15:16:26 2020 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -m comment --comment "Squid-Intercept 443->3129" -j REDIRECT --to-ports 3129 -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -m comment --comment "Squid-Intercept 80->3128" -j REDIRECT --to-ports 3128 -A POSTROUTING -s 192.168.0.1.0/24 -o eth1 -m policy --dir out --pol ipsec -m comment --comment "StrongSwan-IpsecPol-Masq eth1 " -j ACCEPT -A POSTROUTING -s 192.168.0.1.0/24 -o eth1 -m comment --comment "IP-Masq Lan via eth1" -j MASQUERADE COMMIT # Completed on Mon Feb 10 15:16:26 2020 # Generated by xtables-save v1.8.2 on Mon Feb 10 15:16:26 2020 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A FORWARD -s 192.168.0.1.0/24 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -m comment --comment "Strongswan-IpsecPol Lower MTU" -j TCPMSS --set-mss 1360 COMMIT # Completed on Mon Feb 10 15:16:26 2020 Thanks for looking at it.. I hope someone see what im doing wrong here.. Greetz, Louis _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
