I am new to Squid and I'm trying to use it in a simple test case of a pass-all transparent proxy.
My configuration is:
Web-browser->Local_Server{eth0/port-443->(Transparent Proxy)->port-443/eth1}->{Internet}
Squid version: 3.5.25
Below are the squid.conf file content, iptables -nvL and iptables -nvL -t nat command outputs.
When Squid is running, I expect to be able to browse to all websites. However, access to all websites is blocked?!
squid.conf file content:
# 1) Visible hostname visible_hostname ctct-r2 # Debugging debug_options ALL,1 33,2 28,9 # Enable log access_log daemon:/var/log/squid/access.log squid # 2) Initialize SSL database sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB # Do not use caching # cache_dir ufs /var/volatile/log/squid/logs 100 16 256 # 3) Listen to incoming HTTP traffic http_port 3128 # 4) Listen for incoming HTTPS traffic and intercept it https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB # 5) Pass the SSL (HTTPS) traffic transparently through ssl_bump splice all # 6) Allow all HTTP traffic http_access allow all # 7) Send out all traffic to Internet via given IP address tcp_outgoing_address 10.3.19.150# iptables -vnL
-----------Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1467 121K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 1 59 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 ctstate NEW 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 83243 15M APP_RULES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW 83243 15M OS_RULES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW 15 3195 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 64 3840 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- wlan1 wlan1 0.0.0.0/0 0.0.0.0/0 7 651 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable Chain OUTPUT (policy ACCEPT 915 packets, 82175 bytes) pkts bytes target prot opt in out source destination Chain APP_RULES (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain DEV_RULES (2 references) pkts bytes target prot opt in out source destination 2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1534 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2345 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1534 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2345 Chain EXTERNAL_RULES (2 references) pkts bytes target prot opt in out source destination 83158 15M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INTERNAL_RULES (2 references) pkts bytes target prot opt in out source destination 4 269 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain OS_RULES (1 references) pkts bytes target prot opt in out source destination 85 7424 DEV_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 DEV_RULES all -- wlan1 * 0.0.0.0/0 0.0.0.0/0 83 7304 INTERNAL_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 INTERNAL_RULES all -- wlan1 * 0.0.0.0/0 0.0.0.0/0 83158 15M EXTERNAL_RULES all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 EXTERNAL_RULES all -- wlan0 * 0.0.0.0/0 0.0.0.0/0------------------
# iptables -vnL -t natChain PREROUTING (policy ACCEPT 55227 packets, 10M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 10.3.19.150 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 10.3.19.150 0.0.0.0/0 tcp dpt:443 21 1260 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 3129 0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 Chain INPUT (policy ACCEPT 4 packets, 508 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 8 packets, 532 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * eth1 192.168.168.0/24 0.0.0.0/0 0 0 MASQUERADE all -- * eth1 192.168.192.0/24 0.0.0.0/0 0 0 MASQUERADE all -- * wlan0 192.168.168.0/24 0.0.0.0/0 0 0 MASQUERADE all -- * wlan0 192.168.192.0/24 0.0.0.0/0 29 1372 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
--------------
Budimir Miljković BSc E | He
Senior Development Engineer
Civil Construction Field Systems
Trimble
11-17 Birmingham Drive, Christchurch, Canterbury, 8024
New Zealand
+64 3 963-5550 Direct
+64 21 419-024 Mobile
www.trimble.com
This email may contain confidential information that is intended only for the listed recipient(s) of this email. Any unauthorized review, use, disclosure or distribution is prohibited. If you believe you have received this email in error, please immediately delete this email and any attachments, and inform me via reply email.
Senior Development Engineer
Civil Construction Field Systems
Trimble
11-17 Birmingham Drive, Christchurch, Canterbury, 8024
New Zealand
+64 3 963-5550 Direct
+64 21 419-024 Mobile
www.trimble.com
This email may contain confidential information that is intended only for the listed recipient(s) of this email. Any unauthorized review, use, disclosure or distribution is prohibited. If you believe you have received this email in error, please immediately delete this email and any attachments, and inform me via reply email.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
