[squid-users] intercept vs. accel vhost allow-direct

Fri Sep 13 05:46:25 UTC 2019

On 12/09/19 9:53 pm, sknz wrote:
> Hello,
> 
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377788/test.png> 
> 
> etho0 is for WAN and eth1 is for LAN side.
> 
> and more detailed firewall settings:
> 
> # Generated by iptables-save v1.4.21 on Thu Sep 12 15:46:58 2019
> *nat
> :PREROUTING ACCEPT [3911:298328]
> :INPUT ACCEPT [384:30494]
> :OUTPUT ACCEPT [273:20568]
> :POSTROUTING ACCEPT [13:3456]
> -A PREROUTING -s 10.1.0.0/24 ! -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport
> 80 -j REDIRECT --to-ports 3128

There are two suspect things about this rule.
 1) the port here does not match the port 3129 you mentioned earlier as
having the intercept flag. Those two must be the same. Avoiding port
3128 in these things is a good idea, it is well-known and registered for
other uses.

 2) the interface here is tun0, you said eth1 is your LAN side.

You do not technically need the interface name in this rule, it is just
an extra protection against spoofed IPs coming from the WAN.

I would try without the -i option. If that works, then you can test
which interface is needed to continue working when the -i is added back.

> -A POSTROUTING -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Thu Sep 12 15:46:58 2019
> # Generated by iptables-save v1.4.21 on Thu Sep 12 15:46:58 2019
> *mangle
> :PREROUTING ACCEPT [10761:3310565]
> :INPUT ACCEPT [3211:587384]
> :FORWARD ACCEPT [6306:2611786]
> :OUTPUT ACCEPT [2279:577020]
> :POSTROUTING ACCEPT [5283:2937872]
> -A PREROUTING -s 10.1.0.0/24 -d 10.1.0.1/32 -p tcp -m tcp --dport 3128 -j
> DROP

The above rule is dropping access to your proxy port 3128. Which is the
forward-proxy port for clients configured properly to use the proxy,
error page icons, and other things needing direct client<->proxy contact.

The recommended mangle table rule to protect the proxy intercept port
would be just "-A PREROUTING -p tcp -m tcp --dport 3129 -j DROP"

So the proxy is protected from all traffic. Even from localhost, or
outside your network.

> # Completed on Thu Sep 12 15:46:58 2019
> # Generated by iptables-save v1.4.21 on Thu Sep 12 15:46:58 2019
> *filter
> :INPUT ACCEPT [1989:462678]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2279:577020]
> -A INPUT -i eth1 -j DROP
> -A INPUT -d 10.1.0.1/32 -i tun0 -p icmp -j ACCEPT
> -A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
> -A INPUT -d 255.255.255.255/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
> -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3128 -j ACCEPT

If you need this rule to get traffic to " http_port 3128", then you
probably also need one for the "http_port 3129 intercept".

Amos