[squid-users] intercept vs. accel vhost allow-direct

Matus UHLAR - fantomas uhlar at fantomas.sk
Fri Sep 13 08:36:06 UTC 2019 

On 13.09.19 03:12, sknz wrote:
>For clarification, I'm running an AP-Hotspot server(coovachilli, freeradius,
>squid, etc.) with two NIC(eth0 and eth1). eth0 is for WAN(internet) and eth1
>is for managing LAN(APs). Coovachilli is created tun0 under the eth1
>interface. I'm using squid-3.4.8 as an HTTP transparent proxy.

you still don't accept nor NAT connections from eth0 to port 80 in the world.

you only do that with tunneled connections.

># This is my updated squid.conf as your suggestion, 3129 for forward-proxy
>and 3130 for intercepting HTTP:
>http_port 3129
>http_port 3130 intercept

I really wonder why didn't you keep 3128 for forward proxy as before.
People using explicit proxy on port 3128 wouldn't have to change it.

The intercepting port doesn't matter much, because it's only between
firewall/NAT and squid, users won't see it.

>I've tried removing all "-i" options and updating mangle rules as your
>suggestion from iptables; no effects on it. I've opened intercept port also.
>This is my original iptables with adjusted rules:
>
>#nat
>-A PREROUTING -s 10.1.0.0/24 ! -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport
>80 -j REDIRECT --to-ports 3130    #redirect http to squid intercept port
>-A POSTROUTING -o eth0 -j MASQUERADE
>
>#mangle
>-A PREROUTING -s 10.1.0.0/24 -d 10.1.0.1/32 -p tcp -m tcp --dport 3130 -j
>DROP    #drop direct attempts to proxy intercept port

don't you drop all connections that should be natted to 3130 here?
Try dropping this rule.

>-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
>--clamp-mss-to-pmtu
>
>#filters
>-A INPUT -i eth1 -j DROP

I wonder you can communicate with LAN at all, when you drop anyting coming from it.

>-A INPUT -d 10.1.0.1/32 -i tun0 -p icmp -j ACCEPT
>-A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 53 -j ACCEPT
>-A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
>-A INPUT -d 255.255.255.255/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
>-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3130 -j ACCEPT
>#squid intercept
>-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3129 -j ACCEPT
>#squid forward
>-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
>#chilli controller
>-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT
>-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 2812 -j ACCEPT #
>freeradius
>-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 22 -j ACCEPT
>-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 443 -j ACCEPT    #
>https
>-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT    #http
>-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 4990 -j ACCEPT
>#hotspot UAM
>-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
>-A INPUT -d 10.1.0.1/32 -i tun0 -j DROP
>-A FORWARD -i tun0 -o eth0 -j ACCEPT
>-A FORWARD -i tun0 ! -o eth0 -j DROP
>-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
>--clamp-mss-to-pmtu
>-A FORWARD -o tun0 -j ACCEPT
>-A FORWARD -i tun0 -j ACCEPT
>-A FORWARD -o eth1 -j DROP
>-A FORWARD -i eth1 -j DROP

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.

More information about the squid-users mailing list