Let me try one more time.
Here is my system configuration:
{HW-Box} --> Local Server{ (eth0[port 444]) -----+
|
+-----------------------------------------------------+
|
|
+-----> ([3129] Transparent Squid proxy) ---> (eth1[port443]) }--+
|
+------------------------------------------------------- ---+
|
+->--{ INTERNET Server }
The setup and the problem:
- The HW box tries to establish an HTTPS transparent connection with a server located within Internet.
- It uses the Local Server and send its request via eth0 interface.
- The request is Pre-routed from eth0, port 443, to the Transparent Squid proxy (v3.5.25), listening at port 3129.
- For testing purposes, the Squid proxy is configured to pass only the HTTPS traffic transparently via the eth1 interface, using sing the `tcp_outgoing_address <ip_addr>` directive. Please see the squid-ota.conf file content below.
- While testing, I am monitoring the eth1 output via tcpdump and I get the following:
# tcpdump -i eth1 port 443 -n -X -q -w tcp_dump_24
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
0 packets captured
1 packet received by filter
0 packets dropped by kernel
3 packets dropped by interface
- But nothing is detected!?
- From the above it appears that there is no eth1 output at port 443?
I have included the printouts of the `iptables -nvL` and `iptables -nvL -t nat` commands.
Can someone tell me what I have done wrong here and perhaps suggest a solution?
Cheers,
Bud
=========================
Squid configuration file:
# 1) Visible hostname
visible_hostname ctct-r2
# 2) Initialize SSL database first
sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
# 3) Listen to incoming HTTP traffic
http_port 3128
# 4) Block all HTTP traffic
http_access deny all
# 5) Listen for incoming HTTPS traffic and intercept it
https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
# 6) Pass the SSL (HTTPS) traffic trasparently throught
ssl_bump splice all
# Do not use caching
# cache_dir ufs /var/volatile/log/squid/logs 100 16 256
# 7) Send out all HTTPS traffic to destination server via given IP address
tcp_outgoing_address 10.3.19.92
===============================================
# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8827 680K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7 438 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 ctstate NEW
2 138 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1218K 299M APP_RULES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
1218K 299M OS_RULES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
134 28053 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
14014 841K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- wlan1 wlan1 0.0.0.0/0 0.0.0.0/0
9 559 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
Chain OUTPUT (policy ACCEPT 39073 packets, 2757K bytes)
pkts bytes target prot opt in out source destination
125 11932 ACCEPT all -- * * 10.3.19.92 0.0.0.0/0
Chain APP_RULES (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain DEV_RULES (2 references)
pkts bytes target prot opt in out source destination
5 300 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1534
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2345
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1534
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2345
Chain EXTERNAL_RULES (2 references)
pkts bytes target prot opt in out source destination
1190K 298M DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INTERNAL_RULES (2 references)
pkts bytes target prot opt in out source destination
13930 794K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
8 2540 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
1 328 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain OS_RULES (1 references)
pkts bytes target prot opt in out source destination
28092 1666K DEV_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 DEV_RULES all -- wlan1 * 0.0.0.0/0 0.0.0.0/0
28087 1666K INTERNAL_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 INTERNAL_RULES all -- wlan1 * 0.0.0.0/0 0.0.0.0/0
1190K 298M EXTERNAL_RULES all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 EXTERNAL_RULES all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
=====================================================
iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 1234K packets, 306M bytes)
pkts bytes target prot opt in out source destination
96 5760 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 3129
13943 837K REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain INPUT (policy ACCEPT 13972 packets, 798K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 62 packets, 4650 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 14103 packets, 566K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth1 192.168.168.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * eth1 192.168.192.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * wlan0 192.168.168.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * wlan0 192.168.192.0/24 0.0.0.0/0
==================================================
- The HW box tries to establish an HTTPS transparent connection with a server located within Internet.
- It uses the Local Server and send its request via eth0 interface.
- The request is Pre-routed from eth0, port 443, to the Transparent Squid proxy (v3.5.25), listening at port 3129.
- For testing purposes, the Squid proxy is configured to pass only the HTTPS traffic transparently via the eth1 interface, using sing the `tcp_outgoing_address <ip_addr>` directive. Please see the squid-ota.conf file content below.
- While testing, I am monitoring the eth1 output via tcpdump and I get the following:
# tcpdump -i eth1 port 443 -n -X -q -w tcp_dump_24
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
0 packets captured
1 packet received by filter
0 packets dropped by kernel
3 packets dropped by interface
- But nothing is detected!?
- From the above it appears that there is no eth1 output at port 443?
I have included the printouts of the `iptables -nvL` and `iptables -nvL -t nat` commands.
Can someone tell me what I have done wrong here and perhaps suggest a solution?
Cheers,
Bud
=========================
Squid configuration file:
# 1) Visible hostname
visible_hostname ctct-r2
# 2) Initialize SSL database first
sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
# 3) Listen to incoming HTTP traffic
http_port 3128
# 4) Block all HTTP traffic
http_access deny all
# 5) Listen for incoming HTTPS traffic and intercept it
https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
# 6) Pass the SSL (HTTPS) traffic trasparently throught
ssl_bump splice all
# Do not use caching
# cache_dir ufs /var/volatile/log/squid/logs 100 16 256
# 7) Send out all HTTPS traffic to destination server via given IP address
tcp_outgoing_address 10.3.19.92
===============================================
# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8827 680K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7 438 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 ctstate NEW
2 138 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1218K 299M APP_RULES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
1218K 299M OS_RULES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
134 28053 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
14014 841K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- wlan1 wlan1 0.0.0.0/0 0.0.0.0/0
9 559 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
Chain OUTPUT (policy ACCEPT 39073 packets, 2757K bytes)
pkts bytes target prot opt in out source destination
125 11932 ACCEPT all -- * * 10.3.19.92 0.0.0.0/0
Chain APP_RULES (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain DEV_RULES (2 references)
pkts bytes target prot opt in out source destination
5 300 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1534
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2345
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1534
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2345
Chain EXTERNAL_RULES (2 references)
pkts bytes target prot opt in out source destination
1190K 298M DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INTERNAL_RULES (2 references)
pkts bytes target prot opt in out source destination
13930 794K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
8 2540 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
1 328 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain OS_RULES (1 references)
pkts bytes target prot opt in out source destination
28092 1666K DEV_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 DEV_RULES all -- wlan1 * 0.0.0.0/0 0.0.0.0/0
28087 1666K INTERNAL_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 INTERNAL_RULES all -- wlan1 * 0.0.0.0/0 0.0.0.0/0
1190K 298M EXTERNAL_RULES all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 EXTERNAL_RULES all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
=====================================================
iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 1234K packets, 306M bytes)
pkts bytes target prot opt in out source destination
96 5760 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 3129
13943 837K REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain INPUT (policy ACCEPT 13972 packets, 798K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 62 packets, 4650 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 14103 packets, 566K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth1 192.168.168.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * eth1 192.168.192.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * wlan0 192.168.168.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * wlan0 192.168.192.0/24 0.0.0.0/0
==================================================
--
Budimir Miljković BSc E | He
Senior Development Engineer
Civil Construction Field Systems
Trimble
11-17 Birmingham Drive, Christchurch, Canterbury, 8024
New Zealand
+64 3 963-5550 Direct
+64 21 419-024 Mobile
www.trimble.com
This email may contain confidential information that is intended only for the listed recipient(s) of this email. Any unauthorized review, use, disclosure or distribution is prohibited. If you believe you have received this email in error, please immediately delete this email and any attachments, and inform me via reply email.
Senior Development Engineer
Civil Construction Field Systems
Trimble
11-17 Birmingham Drive, Christchurch, Canterbury, 8024
New Zealand
+64 3 963-5550 Direct
+64 21 419-024 Mobile
www.trimble.com
This email may contain confidential information that is intended only for the listed recipient(s) of this email. Any unauthorized review, use, disclosure or distribution is prohibited. If you believe you have received this email in error, please immediately delete this email and any attachments, and inform me via reply email.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
