Re: IPTABLES - Can't redirect HTTPS traffic to external Squid

Bolinhas André <andre.bolinhas@xxxxxxxxxxxxxx> · Tue, 30 Jul 2024 23:43:56 +0200

Hi

Do you mean user this
iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j DNAT --to-destination 172.31.0.1:25976
iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j DNAT --to-destination 172.31.0.1:52406

Instead this
iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 25976
iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 52406

?
Do I also need some kind of
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
?

Best regards
Sent from Nine
De: NgTech LTD <ngtech1ltd@xxxxxxxxx>
Enviado: terça-feira, 30 de julho de 2024 14:44
Para: Bolinhas André
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Assunto Re:  IPTABLES - Can't redirect HTTPS traffic to external Squid

Hey,
The dnat rule should be done on the squid itsef.

You will need to re-route the relevant traffic over the ipsec tunnel to the squid ip.

It's possible to do that over ipip or gre tunnels.
Eliezer 

בתאריך יום ג׳, 30 ביולי 2024, 15:41, מאת Bolinhas André ‏<andre.bolinhas@xxxxxxxxxxxxxx>:
I have a external proxy server connected by VPN (IPSEC) to my main branch, and i'm trying to redirect all users HTTP / HTTPS traffic to this proxy.
Scenario Users -> Gateway (Main Branch) -> IPSEC -> Squid Proxy (transparent mode)
In my Gateway (Main Branch) I have this test iptables rule, that is forwarding all the TPC / UDP traffic to the Proxy server.
iptables -t nat -I PREROUTING -s 192.168.60.90 -p tcp -j DNAT --to-destination 172.31.0.1
iptables -t nat -I PREROUTING -s 192.168.60.90 -p udp -j DNAT --to-destination 172.31.0.1
In Squidd Proxy server I have the followed rules
iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8081
iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8080
Everything is working correctly, HTTP traffic is ok, DNS are also working, the only exeption is the HTTPS traffic, I can see the HTTPS traffic inside the squid access.log but on client side I got a timeout
1722265740.867      1 192.168.60.90 TCP_TUNNEL/200 0 CONNECT cnn.com:443 - HIER_DIRECT/51.210.183.2:443 - mac="00:00:00:00:00:00" webfilterpolicy:%200%0D%0A exterr="-|-"
Anyone can help me to understant if I'm missing so iptable rule to handle the HTTPS traffic?

Sent from Nine
_______________________________________________

squid-users mailing list

squid-users@xxxxxxxxxxxxxxxxxxxxx

https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

Follow-Ups:

Re:  IPTABLES - Can't redirect HTTPS traffic to external Squid
From: NgTech LTD

Prev by Date:
Parse DNS for IPv4 and IPv6

Next by Date:
Re:  IPTABLES - Can't redirect HTTPS traffic to external Squid

Previous by thread:
Re:  IPTABLES - Can't redirect HTTPS traffic to external Squid

Next by thread:
Re:  IPTABLES - Can't redirect HTTPS traffic to external Squid

Index(es):

Date
Thread

[Index of Archives]

[Linux Audio Users]

[Samba]

[Big List of Linux Books]

[Linux USB]

[Yosemite News]