[squid-users] Squid not working properly ...

Bud Miljkovic bud_miljkovic at trimble.com
Wed Oct 18 03:32:21 UTC 2023


I have now made some changes based on suggestions from the community and
would like a second look from the more experienced people.
Here is my squid configuration file:
----------------
visible_hostname ctct-r2
# 2) Initialize SSL database first
sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
# 3) An ACL named 'whitelist'
acl whitelist dstdomain '/etc/squid/whitelist.ota'
# 4) Allow whitelisted URLs through
http_access allow whitelist
# 5) Listen to incoming HTTP traffic
http_port 3128
# 6) Block the rest
http_access deny all
# 7) Listen for incoming HTTPS traffic and intercept it
https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
# 8) Pass the SSL (HTTPS) traffic transparently through
ssl_bump splice all
# 9) Send out all HTTPS traffic to destination server via given IP address
tcp_outgoing_address 10.3.19.150
-------------------
And here are the iptables' settings:
NAT table:
# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 9094 packets, 1823K bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     tcp  --  *      *       10.3.19.150
0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       10.3.19.150
0.0.0.0/0            tcp dpt:443
    0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:443 redir ports 3129
    0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:80 redir ports 3128

Chain INPUT (policy ACCEPT 1 packets, 70 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 9 packets, 627 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 9 packets, 627 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 MASQUERADE  all  --  *      eth1    192.168.168.0/24
0.0.0.0/0
    0     0 MASQUERADE  all  --  *      eth1    192.168.192.0/24
0.0.0.0/0
    0     0 MASQUERADE  all  --  *      wlan0   192.168.168.0/24
0.0.0.0/0
    0     0 MASQUERADE  all  --  *      wlan0   192.168.192.0/24
0.0.0.0/0
------------------------------
Mangle table:
# iptables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 12117 packets, 2382K bytes)
 pkts bytes target     prot opt in     out     source
destination
   16   960 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:443

Chain INPUT (policy ACCEPT 11861 packets, 2319K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 451 packets, 47694 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 451 packets, 47694 bytes)
 pkts bytes target     prot opt in     out     source
destination
-----------------------------
Routing table:
# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
 3843  304K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    59 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0            icmptype 8 ctstate NEW
   33  2285 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate INVALID
91160   17M APP_RULES  all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate NEW
91160   17M OS_RULES   all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate NEW
   15  3195 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            reject-with icmp-port-unreachable
   75  4508 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            reject-with icmp-proto-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  wlan1  wlan1   0.0.0.0/0
0.0.0.0/0
    7   739 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            reject-with icmp-host-unreachable

Chain OUTPUT (policy ACCEPT 523 packets, 54506 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     tcp  --  *      eth1    10.3.19.150
0.0.0.0/0       <<<--------------

Chain APP_RULES (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:20
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:21
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:80

Chain DEV_RULES (2 references)
 pkts bytes target     prot opt in     out     source
destination
    6   360 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:1534
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:2345
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:1534
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:2345

Chain EXTERNAL_RULES (2 references)
 pkts bytes target     prot opt in     out     source
destination
90961   17M DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain INTERNAL_RULES (2 references)
 pkts bytes target     prot opt in     out     source
destination
   95  5676 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:53
    5  1592 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:67
    1   328 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:68
    2   120 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:80

Chain OS_RULES (1 references)
 pkts bytes target     prot opt in     out     source
destination
  199 15779 DEV_RULES  all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
    0     0 DEV_RULES  all  --  wlan1  *       0.0.0.0/0
0.0.0.0/0
  193 15419 INTERNAL_RULES  all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
    0     0 INTERNAL_RULES  all  --  wlan1  *       0.0.0.0/0
0.0.0.0/0
90961   17M EXTERNAL_RULES  all  --  eth1   *       0.0.0.0/0
0.0.0.0/0
    0     0 EXTERNAL_RULES  all  --  wlan0  *       0.0.0.0/0
0.0.0.0/0
------------------------------------------------

I am now getting something related to my testing expectation but there
problems
like following:
```
15:05:58.464105 IP (tos 0x0, ttl 64, id 33640, offset 0, flags [DF], proto
UDP (17), length 70)
    10.3.19.150.55834 > 10.3.30.20.domain: [udp sum ok] 31312+ A?
api.globalota.limios.net. (42)
....
15:05:58.810877 IP (tos 0xc0, ttl 64, id 32951, offset 0, flags [none],
proto ICMP (1), length 209)
    10.3.19.150 > 10.3.0.124: ICMP 10.3.19.150 udp port 55834 unreachable,
length 189
------------------------------------- Any hint would be appreciated
--------------------
Also, there is a configuration in the chain OUTPUT policy marked with the
"<<<-------------" string above,
which I am not sure about.

Cheers,
Buda


-- 

11-17 Birmingham Drive, Christchurch, Canterbury, 8024
New Zealand
+64 3 963-5550 Direct
+64 21 419-024 Mobile

www.trimble.com

This email may contain confidential information that is intended only for
the listed recipient(s) of this email. Any unauthorized review, use,
disclosure or distribution is prohibited. If you believe you have received
this email in error, please immediately delete this email and any
attachments, and inform me via reply email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20231018/e3981bdb/attachment-0001.htm>


More information about the squid-users mailing list