Hey,
Sorry I missed understand the scenario.
For now lets assume the packets are routed to the proxy properly but, lets try to understand how do you route the traffic to the proxy?
Also what is defined on the proxy http_port
Are you using artica proxy?
Where do you implement the iptables rules?
Eliezer
Hi
Do you mean user this
iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j DNAT --to-destination 172.31.0.1:25976
iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j DNAT --to-destination 172.31.0.1:52406
Instead this
iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 25976
iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 52406
?
Do I also need some kind of
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
?
Best regards
Sent from NineDe: NgTech LTD <ngtech1ltd@xxxxxxxxx>
Enviado: terça-feira, 30 de julho de 2024 14:44
Para: Bolinhas André
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Assunto Re: [squid-users] IPTABLES - Can't redirect HTTPS traffic to external SquidHey,
The dnat rule should be done on the squid itsef.
You will need to re-route the relevant traffic over the ipsec tunnel to the squid ip.
It's possible to do that over ipip or gre tunnels.Eliezer
בתאריך יום ג׳, 30 ביולי 2024, 15:41, מאת Bolinhas André <andre.bolinhas@xxxxxxxxxxxxxx>:_______________________________________________I have a external proxy server connected by VPN (IPSEC) to my main branch, and i'm trying to redirect all users HTTP / HTTPS traffic to this proxy.
Scenario Users -> Gateway (Main Branch) -> IPSEC -> Squid Proxy (transparent mode)In my Gateway (Main Branch) I have this test iptables rule, that is forwarding all the TPC / UDP traffic to the Proxy server.
iptables -t nat -I PREROUTING -s 192.168.60.90 -p tcp -j DNAT --to-destination 172.31.0.1 iptables -t nat -I PREROUTING -s 192.168.60.90 -p udp -j DNAT --to-destination 172.31.0.1
In Squidd Proxy server I have the followed rulesiptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8081 iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8080
Everything is working correctly, HTTP traffic is ok, DNS are also working, the only exeption is the HTTPS traffic, I can see the HTTPS traffic inside the squid access.log but on client side I got a timeout1722265740.867 1 192.168.60.90 TCP_TUNNEL/200 0 CONNECT cnn.com:443 - HIER_DIRECT/51.210.183.2:443 - mac="00:00:00:00:00:00" webfilterpolicy:%200%0D%0A exterr="-|-"
Anyone can help me to understant if I'm missing so iptable rule to handle the HTTPS traffic?Sent from Nine
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users