[squid-users] Enable tproxy in Squid 3.5 running on Debian 9

Alex K rightkicktech at gmail.com
Thu Oct 5 20:03:44 UTC 2017 

You will need to transpareny redirect the traffic and not explicitly
pointing your browser to squid. Seems that the mentioned firewall rules are
correct. You will need a policy route also for the marked traffic.

On Oct 5, 2017 7:54 PM, "xpro6000" <xpro6000 at gmail.com> wrote:

I'm back to square one then, and it looks like there is no way to tell
Squid to use the same connecting ip for the outgoing ip, which is what I
need.

On Thu, Oct 5, 2017 at 3:49 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 05/10/17 15:01, xpro6000 wrote:
>
>> I'm trying to setup tproxy with Squid 3.5 for the purpose of having the
>> same outgoing ip as the connecting ip. (I have thousands of IPs and I can
>> not add them one by one)
>>
>> I started with a fresh install of Debian 9, installed Squid by
>>
>> apt install squid
>>
>> then I added
>>
>> http_port 3129 tproxy
>>
>> to squid.conf
>>
>> I then ran the following commands for iptables
>>
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>>
>> iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>
>> iptables  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>> --tproxy-mark 0x1/0x1 --on-port 3129
>>
>>
>> I can use the proxy with no problems on port 3128, but on Firefox I get a
>> message "The proxy server is refusing connections" when I set the proxy to
>> port 3129. Did I miss any steps or am I doing something wrong?
>>
>
> You missed the fact that TPROXY is an MITM operation. You *cannot* setup
> the browser to use the proxy directly to its tproxy port. You have to route
> the packets to the proxy machine without any explicit browser or client
> configuration.
>
> Only the Squid machine bits (and thus behaviour) are different with TPROXY
> vs NAT interception.
>
> ...
>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access allow localhost
>> http_access allow all
>>
>
> Do not do "allow all" like this. Setup the localnet ACL to your LAN
> range(s) properly and only allow those clients through the proxy.
>
> Then you can use the recommended default:
>  http_access deny !Safe_ports
>  http_access deny CONNECT !SSL_ports
>  http_access allow localhost
>  http_access deny manager
>  http_access allow localnet
>  http_access deny all
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171005/f51c523d/attachment.html>

More information about the squid-users mailing list