I have now made some changes based on suggestions from the community and would like a second look from the more experienced people.
Here is my squid configuration file:
----------------
----------------
visible_hostname ctct-r2
# 2) Initialize SSL database first
sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
# 3) An ACL named 'whitelist'
acl whitelist dstdomain '/etc/squid/whitelist.ota'
# 4) Allow whitelisted URLs through
http_access allow whitelist
# 5) Listen to incoming HTTP traffic
http_port 3128
# 6) Block the rest
http_access deny all
# 7) Listen for incoming HTTPS traffic and intercept it
https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
# 8) Pass the SSL (HTTPS) traffic transparently through
ssl_bump splice all
# 9) Send out all HTTPS traffic to destination server via given IP address
tcp_outgoing_address 10.3.19.150
# 2) Initialize SSL database first
sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
# 3) An ACL named 'whitelist'
acl whitelist dstdomain '/etc/squid/whitelist.ota'
# 4) Allow whitelisted URLs through
http_access allow whitelist
# 5) Listen to incoming HTTP traffic
http_port 3128
# 6) Block the rest
http_access deny all
# 7) Listen for incoming HTTPS traffic and intercept it
https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
# 8) Pass the SSL (HTTPS) traffic transparently through
ssl_bump splice all
# 9) Send out all HTTPS traffic to destination server via given IP address
tcp_outgoing_address 10.3.19.150
-------------------
And here are the iptables' settings:
NAT table:
# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 9094 packets, 1823K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 10.3.19.150 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 10.3.19.150 0.0.0.0/0 tcp dpt:443
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 3129
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain INPUT (policy ACCEPT 1 packets, 70 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 9094 packets, 1823K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 10.3.19.150 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 10.3.19.150 0.0.0.0/0 tcp dpt:443
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 3129
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain INPUT (policy ACCEPT 1 packets, 70 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 9 packets, 627 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 9 packets, 627 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth1 192.168.168.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * eth1 192.168.192.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * wlan0 192.168.168.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * wlan0 192.168.192.0/24 0.0.0.0/0
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 9 packets, 627 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth1 192.168.168.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * eth1 192.168.192.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * wlan0 192.168.168.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * wlan0 192.168.192.0/24 0.0.0.0/0
------------------------------
Mangle table:
# iptables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 12117 packets, 2382K bytes)
pkts bytes target prot opt in out source destination
16 960 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain INPUT (policy ACCEPT 11861 packets, 2319K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 451 packets, 47694 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 451 packets, 47694 bytes)
pkts bytes target prot opt in out source destination
# iptables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 12117 packets, 2382K bytes)
pkts bytes target prot opt in out source destination
16 960 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain INPUT (policy ACCEPT 11861 packets, 2319K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 451 packets, 47694 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 451 packets, 47694 bytes)
pkts bytes target prot opt in out source destination
-----------------------------
Routing table:
# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3843 304K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 59 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 ctstate NEW
33 2285 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
91160 17M APP_RULES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
91160 17M OS_RULES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
15 3195 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
75 4508 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- wlan1 wlan1 0.0.0.0/0 0.0.0.0/0
7 739 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
Chain OUTPUT (policy ACCEPT 523 packets, 54506 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * eth1 10.3.19.150 0.0.0.0/0 <<<--------------
Chain APP_RULES (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain DEV_RULES (2 references)
pkts bytes target prot opt in out source destination
6 360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1534
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2345
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1534
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2345
Chain EXTERNAL_RULES (2 references)
pkts bytes target prot opt in out source destination
90961 17M DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INTERNAL_RULES (2 references)
pkts bytes target prot opt in out source destination
95 5676 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
5 1592 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
1 328 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain OS_RULES (1 references)
pkts bytes target prot opt in out source destination
199 15779 DEV_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 DEV_RULES all -- wlan1 * 0.0.0.0/0 0.0.0.0/0
193 15419 INTERNAL_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 INTERNAL_RULES all -- wlan1 * 0.0.0.0/0 0.0.0.0/0
90961 17M EXTERNAL_RULES all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 EXTERNAL_RULES all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3843 304K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 59 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 ctstate NEW
33 2285 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
91160 17M APP_RULES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
91160 17M OS_RULES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
15 3195 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
75 4508 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- wlan1 wlan1 0.0.0.0/0 0.0.0.0/0
7 739 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
Chain OUTPUT (policy ACCEPT 523 packets, 54506 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * eth1 10.3.19.150 0.0.0.0/0 <<<--------------
Chain APP_RULES (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain DEV_RULES (2 references)
pkts bytes target prot opt in out source destination
6 360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1534
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2345
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1534
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2345
Chain EXTERNAL_RULES (2 references)
pkts bytes target prot opt in out source destination
90961 17M DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INTERNAL_RULES (2 references)
pkts bytes target prot opt in out source destination
95 5676 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
5 1592 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
1 328 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain OS_RULES (1 references)
pkts bytes target prot opt in out source destination
199 15779 DEV_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 DEV_RULES all -- wlan1 * 0.0.0.0/0 0.0.0.0/0
193 15419 INTERNAL_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 INTERNAL_RULES all -- wlan1 * 0.0.0.0/0 0.0.0.0/0
90961 17M EXTERNAL_RULES all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 EXTERNAL_RULES all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
------------------------------------------------
I am now getting something related to my testing expectation but there problems
like following:
```
15:05:58.464105 IP (tos 0x0, ttl 64, id 33640, offset 0, flags [DF], proto UDP (17), length 70)
10.3.19.150.55834 > 10.3.30.20.domain: [udp sum ok] 31312+ A? api.globalota.limios.net. (42)
....
15:05:58.464105 IP (tos 0x0, ttl 64, id 33640, offset 0, flags [DF], proto UDP (17), length 70)
10.3.19.150.55834 > 10.3.30.20.domain: [udp sum ok] 31312+ A? api.globalota.limios.net. (42)
....
15:05:58.810877 IP (tos 0xc0, ttl 64, id 32951, offset 0, flags [none], proto ICMP (1), length 209)
10.3.19.150 > 10.3.0.124: ICMP 10.3.19.150 udp port 55834 unreachable, length 189
10.3.19.150 > 10.3.0.124: ICMP 10.3.19.150 udp port 55834 unreachable, length 189
------------------------------------- Any hint would be appreciated --------------------
Also, there is a configuration in the chain OUTPUT policy marked with the "<<<-------------" string above,
which I am not sure about.
Cheers,
Buda
--
11-17 Birmingham Drive, Christchurch, Canterbury, 8024
New Zealand
+64 3 963-5550 Direct
+64 21 419-024 Mobile
www.trimble.com
This email may contain confidential information that is intended only for the listed recipient(s) of this email. Any unauthorized review, use, disclosure or distribution is prohibited. If you believe you have received this email in error, please immediately delete this email and any attachments, and inform me via reply email.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
