[squid-users] Fwd: Squid does not pass HTTPS traffic transparently

Bud Miljkovic bud_miljkovic at trimble.com
Mon Oct 16 03:41:30 UTC 2023


Resending it without an image

On Mon, Oct 16, 2023 at 1:59 PM Bud Miljkovic <bud_miljkovic at trimble.com>
wrote:

> Here is my system configuration
>
-
> The setup and the problem
>
>    - The HW box tries to establish an HTTPS transparent connection with a
>    server located within Internet.
>    - It uses the Local Server and send its request via eth0 interface.
>    - The request is Pre-routed from eth0, port 443, to the Transparent
>    Squid proxy (v3.5.25), listening at port 3129.
>    - For testing purposes, the Squid proxy is configured to pass only the
>    HTTPStraffic transparently via the eth1 interface, using sing the
>    `tcp_outgoing_address <ip_addr>` directive.  Please see the attached
>    squid-ota.conf file.
>    - While testing, I am monitoring the eth1 output via tcpdump and I get
>    the following:
>    # tcpdump -i eth1 port 443 -n -X -q
>    tcpdump: verbose output suppressed, use -v or -vv for full protocol
>    decode
>    listening on eth1, link-type EN10MB (Ethernet), capture size 262144
>    bytes
>    -  But nothing is detected!?
>    - From the above it appears that there is no an eth1 output at port
>    443?
>
> I have attached the printouts of the `iptables -nvL` and `iptables -nvL -t
> nat`
>  commands.
>
> Can someone check ut what I have done here and perhaps suggest what could
> be
> wrong in here.
>
> Cheers,
> Bud
> --
> Budimir Miljković BSc E | He
> Senior Development Engineer
> Civil Construction Field Systems
> Trimble
>
> 11-17 Birmingham Drive, Christchurch, Canterbury, 8024
> New Zealand
> +64 3 963-5550 Direct
> +64 21 419-024 Mobile
>
> www.trimble.com
>
> This email may contain confidential information that is intended only for
> the listed recipient(s) of this email. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you believe you have received
> this email in error, please immediately delete this email and any
> attachments, and inform me via reply email.
>


-- 
Budimir Miljković BSc E | He
Senior Development Engineer
Civil Construction Field Systems
Trimble

11-17 Birmingham Drive, Christchurch, Canterbury, 8024
New Zealand
+64 3 963-5550 Direct
+64 21 419-024 Mobile

www.trimble.com

This email may contain confidential information that is intended only for
the listed recipient(s) of this email. Any unauthorized review, use,
disclosure or distribution is prohibited. If you believe you have received
this email in error, please immediately delete this email and any
attachments, and inform me via reply email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20231016/b3de9138/attachment.htm>
-------------- next part --------------
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 8827  680K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    7   438 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 ctstate NEW
    2   138 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
1218K  299M APP_RULES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
1218K  299M OS_RULES   all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
  134 28053 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
14014  841K REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-proto-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  wlan1  wlan1   0.0.0.0/0            0.0.0.0/0           
    9   559 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-unreachable

Chain OUTPUT (policy ACCEPT 39073 packets, 2757K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  125 11932 ACCEPT     all  --  *      *       10.3.19.92           0.0.0.0/0           

Chain APP_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:20
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain DEV_RULES (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   300 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1534
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2345
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1534
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:2345

Chain EXTERNAL_RULES (2 references)
 pkts bytes target     prot opt in     out     source               destination         
1190K  298M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INTERNAL_RULES (2 references)
 pkts bytes target     prot opt in     out     source               destination         
13930  794K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    8  2540 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    1   328 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain OS_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
28092 1666K DEV_RULES  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DEV_RULES  all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0           
28087 1666K INTERNAL_RULES  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 INTERNAL_RULES  all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0           
1190K  298M EXTERNAL_RULES  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 EXTERNAL_RULES  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           

-------------- next part --------------
Chain PREROUTING (policy ACCEPT 1234K packets, 306M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   96  5760 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 redir ports 3129
13943  837K REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 3128

Chain INPUT (policy ACCEPT 13972 packets, 798K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 62 packets, 4650 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 14103 packets, 566K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      eth1    192.168.168.0/24     0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      eth1    192.168.192.0/24     0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      wlan0   192.168.168.0/24     0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      wlan0   192.168.192.0/24     0.0.0.0/0           



More information about the squid-users mailing list