[squid-users] Transparent Squid Proxy Server

Reet Vyas reet.vyas28 at gmail.com
Thu Jun 4 08:30:13 UTC 2015 

Hi

I got it half working My chat is working I can search google, but I cant
browse websites ,

My configuration now

acl mynet src 116.72.152.37 192.168.0.0/16    # RFC1918 possible internal
network
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow mynet
http_access allow localhost
http_access allow all
http_port 3129
http_port 3128 intercept

cache_dir ufs /usr/local/cache 10000 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600       90%     43200
refresh_pattern .        0    20%    4320



Iptables:

root at squid:/home/squid# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 77928 packets, 4272K bytes)
 pkts bytes target     prot opt in     out     source
destination
  290 17312 DNAT       tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:80 to:192.168.0.200:3128
    0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:80 redir ports 3128

Chain INPUT (policy ACCEPT 75943 packets, 4074K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
  847 56477 MASQUERADE  all  --  *      eth0    192.168.0.0/24
0.0.0.0/0

On Thu, Jun 4, 2015 at 12:13 PM, Reet Vyas <reet.vyas28 at gmail.com> wrote:

> Hi,
>
> I changed the iptables still no luck :( but I am using squid 3.3 only can
> I didn't understand why you have configured 3129 ,3130 and 3128 port?
>
> On Wed, Jun 3, 2015 at 1:04 PM, Klavs Klavsen <kl at vsen.dk> wrote:
>
>> Your client needs to use your squid server as default gateway.
>>
>> And then you need the iptables rules I wrote about to direct traffic into
>> squid for certain ports.
>>
>> Reet Vyas wrote on 06/03/2015 08:50 AM:
>>
>>> Hi
>>>
>>> Thanks for reply. As of now we don't have router I have directly
>>> connected my machine to internet and other to LAN and I have configured
>>> client machine ubuntu to test squid which is in switch where other users
>>> are connected using gateway of router 192.168.0.1.
>>>
>>> I read your valuable suggestions, but I still confused with IPtables and
>>> squid 3.3 setting ,transparent and intercept options .
>>>
>>> root at squid:/home/squid#   ip addr show
>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
>>> group default
>>>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>>      inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo
>>>         valid_lft forever preferred_lft forever
>>>      inet6 ::1/128 scope host
>>>         valid_lft forever preferred_lft forever
>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>>> state UP group default qlen 1000
>>>      link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff
>>>      inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0
>>>         valid_lft forever preferred_lft forever
>>>      inet6 fe80::21e:67ff:fecf:5974/64 scope link
>>>         valid_lft forever preferred_lft forever
>>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>>> state UP group default qlen 1000
>>>      link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff
>>>      inet 192.168.0.200/24 <http://192.168.0.200/24> brd 192.168.0.255
>>> scope global eth1
>>>         valid_lft forever preferred_lft forever
>>>      inet6 fe80::21e:67ff:fecf:5975/64 scope link
>>>         valid_lft forever preferred_lft forever
>>>
>>> root at squid:/home/squid#  ip -4 route show
>>> default via 116.72.152.1 dev eth0
>>> 116.72.152.0/22 <http://116.72.152.0/22> dev eth0  proto kernel  scope
>>> link  src 116.72.152.37
>>> 192.168.0.0/24 <http://192.168.0.0/24> dev eth1  proto kernel  scope
>>> link  src 192.168.0.200
>>>
>>>
>>>
>>>
>>>
>>> To use transparent/intercept what I have to set in my config file
>>> http_port 3128 intercept or transparent
>>>
>>> and Iptables rules , I have tried this rules
>>>
>>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>>>
>>> But not working
>>>
>>> Can you please tell me the firewall rules and let me know why my
>>> firewall rules are not working.
>>>
>>> On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen <kl at vsen.dk
>>> <mailto:kl at vsen.dk>> wrote:
>>>
>>>     Amos Jeffries wrote on 06/02/2015 04:34 PM:
>>>
>>>         On 3/06/2015 1:20 a.m., Klavs Klavsen wrote:
>>>
>>>             I have this in my squid server for it to work:
>>>
>>>
>>>         The key words there are ... *in my Squid server*
>>>
>>>     indeed :)
>>>
>>>
>>>         NOTE to Klavs:
>>>             loading the "multiport" kernel module seems overkill for a
>>>         single-port
>>>         match.
>>>
>>>     it's puppets firewall module.. haven't had enough time to fix that
>>>     module :)
>>>
>>>
>>>         FYI: DONT_VERIFY_PEER, "always_direct allow all", and
>>>         "slproxy_cert_error allow all" have not been good ideas since
>>> 3.2.
>>>         dont-verify actually inhibits the Mimic functions which give
>>>         server-first bumping most of its usefulness.
>>>
>>>     Thank you for those tips.
>>>
>>>     --
>>>     Regards,
>>>     Klavs Klavsen, GSEC - kl at vsen.dk <mailto:kl at vsen.dk> -
>>>     http://www.vsen.dk - Tlf. 61281200
>>>
>>>     "Those who do not understand Unix are condemned to reinvent it,
>>> poorly."
>>>        --Henry Spencer
>>>
>>>     _______________________________________________
>>>     squid-users mailing list
>>>     squid-users at lists.squid-cache.org
>>>     <mailto:squid-users at lists.squid-cache.org>
>>>     http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>
>> --
>> Regards,
>> Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200
>>
>> "Those who do not understand Unix are condemned to reinvent it, poorly."
>>   --Henry Spencer
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150604/7c0c9bf5/attachment-0001.html>

More information about the squid-users mailing list