[squid-users] Mikrotik and Squid Transparent

Dalmar maamule10 at gmail.com
Wed Jun 24 12:30:15 UTC 2015


squid 3.3.8 and ubuntu 15.04 server

2015-06-24 15:04 GMT+03:00 Yuri Voinov <yvoinov at gmail.com>:

>  Squid 3.5.x?
>
> 24.06.15 18:03, Dalmar пишет:
>
>  Hi,
> For over two weeks i am having a really headache in configuring squid
> transparent/intercept.
> I have tried different options and configurations but i couldn't get it to
> work.
> i think the problems lies in the Iptables / NAT but i really couldn't
> solve it.
> I have tried different iptable rules including the intercept linuxDnat -
> sysctl configuration, but didnt work.
>
>  # your proxy IP
> SQUIDIP=X.X.X.X
>
>  # your proxy listening port
> SQUIDPORT=XXXX
>
>
>  iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
> $SQUIDIP:$SQUIDPORT
> iptables -t nat -A POSTROUTING -j MASQUERADE
> iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
>
>
>  i have to say that squid works well when i configure in the client
> browsers.
>
>  at the mikrotik side, i am using DST-NAT chain port 80 pro TCP action
> DST-NAT to address squidIP and Port
>
>  i am using ubuntu server 15.04 using squid 3.3.8 and this is my
> configuration and the errors i get:
>
>
>                          ------ eth0 WAN <----- MAIN WAN Public IP
> Internet
>                  MK---|
>                            ------ eth1 LAN
>                           |
>                     ------ eth2 Proxy
>
>
>           ------ eth0 WAN ---> Public IP --> Internet --> gets internet
> from 24online / another Mikrotik
>        Squid---|
>                         ------ eth1 Proxy
>         |
>          ------ eth2 webmin --> For server Management
>
>
>  -error1: if no intercept/transparent and no iptables is configured
>  -Invalid URL -  The requested url could not be retrieved
>  -but if proxy is configured in the user browser - it works!
>
>
>  -error2:if intercept and iptable DNAT is configured
>  -Access Denied and in the access log TCP-MISS/403
>  -no forward proxy port configured
>         -security alert : host header forgery detected on local=
> SquidIP:8080 remote:mikrotikIP (local ip does not match any domain name)
>         -warning : forwarding loop detected (x-Forwarded-for mikrotik lan
> IP)
>
>  squid.conf
>
>  acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 8080
> http_port 8181
> cache_mem 2000 MB
> cache_dir ufs /var/spool/squid3 100000 16 256
> coredump_dir /var/spool/squid3
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
> refresh_pattern . 0 20% 4320
> cache_effective_user proxy
> cache_effective_group proxy
>
>  ----------------------------------------
> I am really confused, can anyone guide me please.
> Thanks in advance
>
>
> _______________________________________________
> squid-users mailing listsquid-users at lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150624/4a9fbd38/attachment.html>


More information about the squid-users mailing list