[squid-users] Squid as gateway

Amos Jeffries squid3 at treenet.co.nz
Fri Jul 21 13:18:52 UTC 2017 

On 21/07/17 07:07, erdosain9 wrote:
> Hi, and thank you all.
> 
> Well this is the diagram.
> 
> 
> 
> INTERNET
> +
> +
> FIREWALL (10.1.158.1/24)
> +
> +
> +
> SQUID (2 interfaces) 10.1.158.2/24
>                                  192.168.1.20/24

This machine called SQUID need to be configured as a router.

You mentioned the GW route for the device below, but what are the two GW 
routes (10/8 gw ??? , and 192.168/16 gw ???) this SQUID machine should have?


> +
> +
> ROUTERWIFI( WAN----static ip 192.168.1.40/24 gw 192.168.1.20) LAN
> 192.168.0.1/24)

That looks okay.

But double-check that this machine is *NOT* performing NAT on any of the 
outgoing packets sent to 192.168.1.20.


> 
> squid config:
> 
> acl red1 src 192.168.1.0/24

That permits the ROUTERWIFI machine to send traffic from itself (only) 
to Squid. Such traffic should be an extreme rarity - usually just you 
testing HTTP connectivity from that machine manually.

This Squid should be expecting to receive traffic from 192.168.0.0/24 
machines. If you do not change this I expect you will start to see 
DENIED lines being logged by Squid when you fix the packet arrival problem.


> 
> acl SSL_ports port 443
> acl SSL_ports port 8443
> acl SSL_ports port 8080
> acl SSL_ports port 20000
> acl SSL_ports port 10000
> acl SSL_ports port 2083
> 
> acl Safe_ports port 631         # httpCUPS
> acl Safe_ports port 85
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 8443        # httpsalt
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 8080        # edesur y otros

NP: those 8080 and 8443 are included in the 1025-65535 entry above.

> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> 
> http_access allow localhost
> http_access allow red1
> 
> # And finally deny all other access to this proxy
> http_access deny all
> 
> # Squid normally listens to port 3128
> http_port 192.168.1.20:3128
> http_port 192.168.1.20:3129 intercept

You should not have to specify any IP address here.
eg.
   http_port 3128
   http_port 3129 intercept

Squid will then be able to receive the NAT'd traffic no matter what 
system NAT rules contain.


> 
...
> #Your refresh_pattern
> refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
> ignore-private

NP: ignore-no-cache is no longer existing.

SECURITY WARNING: using ignore-no-store for images will cache Captcha 
images, user avatar icons, personal content from private accounts (think 
snapchat and facebook photos type of stuff).
  ignore-private is not so bad in the latest Squid releases as it used 
to be, but it will not cause much of a HIT ratio increase over default 
behaviour either.


> 
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> 
> dns_nameservers 8.8.8.8 8.8.4.4

Use of 8.8.8.8 and 8.8.4.4 in a Squid which is intercepting traffic 
causes a lot of problems - mostly in the form of "Host verify" security 
alerts and major reduction in HTTP traffic caching.

To work around those problems you need a local DNS server which both 
your client machines and Squid use for recursive resolving. That DNS 
server can use 8.8.8.8 and 8.8.4.4 as its upstream forwarders if you 
actually still need it - having your own local resolver pretty much 
obsoletes all the benefits 8.8.8.8 claim to provide.


> 
> -----------------------------------------------------------------------
> 
> I probe this, nothing work..............
> ---------------------------------------------------------------------------------------------------------------------------------------------
> 
> iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
> 192.168.1.20:3129
> iptables -t nat -A POSTROUTING -j MASQUERADE
> iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP
> 
> ------------------------------------------------------------------------------------------------------------------------------------------------
> 
> iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
> iptables -t nat -A POSTROUTING -j MASQUERADE
> iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP
> 
> -----------------------------------------------------------------------------------------------------------------------------------------------
> 

Both of those look fine for the NAT rules on SQUID box - they only do 
the NAT part, not any of the packet routing.

The problem I think is in the routing setup on the SQUID machine, and 
maybe the ROUTERWIFI.

Amos

More information about the squid-users mailing list