[squid-users] Transparent Squid Proxy Server

Klavs Klavsen kl at vsen.dk
Tue Jun 2 13:20:03 UTC 2015


I have this in my squid server for it to work:
*mangle
:PREROUTING ACCEPT [190:618576]
:INPUT ACCEPT [190:618576]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [163:41506]
:POSTROUTING ACCEPT [166:42334]
-A PREROUTING -d $myip/32 -p tcp -m multiport --dports 3129 -m comment 
--comment "002 drop squid direct traffic http - we only allow captured 
traffic" -j DROP
-A PREROUTING -d $myip/32 -p tcp -m multiport --dports 3130 -m comment 
--comment "002 drop squid direct traffic https - we only allow captured 
traffic" -j DROP
COMMIT
# Completed on Wed Apr  1 10:28:22 2015
# Generated by iptables-save v1.4.21 on Wed Apr  1 10:28:22 2015
*nat
:PREROUTING ACCEPT [1:36]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [30:2079]
:POSTROUTING ACCEPT [30:2079]
-A PREROUTING -s $myip/32 -p tcp -m multiport --dports 80 -m comment 
--comment "000 allow squid http - so its traffic does not get captured" 
-j ACCEPT
-A PREROUTING -s $myip/32 -p tcp -m multiport --dports 443 -m comment 
--comment "000 allow squid https - so its traffic does not get captured" 
-j ACCEPT
-A PREROUTING -p tcp -m multiport --dports 80 -m comment --comment "001 
capture http to squid" -j DNAT --to-destination $myip:3129
-A PREROUTING -p tcp -m multiport --dports 443 -m comment --comment "001 
capture https to squid" -j DNAT --to-destination $myip:3130
COMMIT
# Completed on Wed Apr  1 10:28:22 2015
# Generated by iptables-save v1.4.21 on Wed Apr  1 10:28:22 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:184]
-A INPUT -p tcp -m multiport --ports 3129 -m comment --comment "000 
allow squid http intercept" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 3130 -m comment --comment "000 
allow squid https intercept" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 3128 -m comment --comment "000 
allow squid proxy" -j ACCEPT

and squid conf (mind you - squid 3.4)
ssl_bump                       server-first all
sslproxy_flags                 DONT_VERIFY_PEER
sslcrtd_children               8 startup=1 idle=1
sslcrtd_program                /usr/lib64/squid/ssl_crtd -s 
/etc/ssl/certs/cache/ -M 4MB
https_port                     3130 intercept ssl-bump 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
key=/etc/squid/ca.private cert=/etc/squid/ca.cert
shutdown_lifetime              3
always_direct                  allow all
sslproxy_cert_error            allow all
http_port                      3129 intercept

Reet Vyas wrote on 06/02/2015 02:31 PM:
> I am trying to configure transparent squid proxy on ubuntu 14.04 Server
> and squid 3.3 version I am using
>
> My Lan and Wan settings
>
> eth0      Link encap:Ethernet  HWaddr 00:1e:67:cf:59:74
>            inet addr:116.72.*.*  Bcast:116.72.155.255  Mask:255.255.252.0
>            inet6 addr: fe80::21e:67ff:fecf:5974/64 Scope:Link
>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>            RX packets:238950 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:236104 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1000
>            RX bytes:22219047 (22.2 MB)  TX bytes:17390502 (17.3 MB)
>            Interrupt:16 Memory:d0a00000-d0a20000
>
> eth1      Link encap:Ethernet  HWaddr 00:1e:67:cf:59:75
>            inet addr:192.168.0.200  Bcast:192.168.0.255  Mask:255.255.255.0
>            inet6 addr: fe80::21e:67ff:fecf:5975/64 Scope:Link
>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>            RX packets:96965 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:11785 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1000
>            RX bytes:10764615 (10.7 MB)  TX bytes:7151763 (7.1 MB)
>            Interrupt:17 Memory:d0900000-d0920000
>
> my squid.conf file
>
> acl mynet src 116.72.152.37 192.168.0.0/16 <http://192.168.0.0/16>    #
> RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow mynet
> http_access allow localhost
> http_access allow all
> http_port 3128
> cache_dir ufs /usr/local/cache 10000 16 256
> coredump_dir /var/spool/squid3
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600       90%     43200
> refresh_pattern .        0    20%    4320
>
>
> but when I use 192.168.0.200 in my client machine as gateway ...
> internet is not working and I cant see logs in access.log
>
> But when I use this IP in my browser it is working and showing logs but
> with my tplink router  gateway i.e 192.168.0.1.
>
> IPTable rules :
> num  target     prot opt source               destination
> 1    DNAT       tcp  --  anywhere             anywhere             tcp
> dpt:http to:192.168.0.200:3128 <http://192.168.0.200:3128>
> 2    REDIRECT   tcp  --  anywhere             anywhere             tcp
> dpt:http redir ports 3128
>
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
>
> Chain POSTROUTING (policy ACCEPT)
> num  target     prot opt source               destination
>
>
> Please tell me what I am missing in IPtables and squid3 configuration .
> I tried both transparent as well as intercept option but I think I have
> issue with iptables or may be configuration issue.
>
>
>
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


-- 
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
   --Henry Spencer



More information about the squid-users mailing list