[squid-users] How to configure a transparent, pass-all, Squid proxy?
Bud Miljkovic
bud_miljkovic at trimble.com
Thu Oct 19 18:17:13 UTC 2023
I am new to Squid and I'm trying to use it in a simple test case of a
pass-all transparent proxy.
My configuration is: Web-browser->Local_Server{eth0/port-443->(Transparent
Proxy)->port-443/eth1}->{Internet}
Squid version: 3.5.25
Below are the squid.conf file content, iptables -nvL and iptables -nvL -t
nat command outputs.
When Squid is running, I expect to be able to browse to all websites.
However, access to all websites is blocked?!
*squid.conf* file content:
# 1) Visible hostname
visible_hostname ctct-r2
# Debugging
debug_options ALL,1 33,2 28,9
# Enable log
access_log daemon:/var/log/squid/access.log squid
# 2) Initialize SSL database
sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
# Do not use caching
# cache_dir ufs /var/volatile/log/squid/logs 100 16 256
# 3) Listen to incoming HTTP traffic
http_port 3128
# 4) Listen for incoming HTTPS traffic and intercept it
https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
# 5) Pass the SSL (HTTPS) traffic transparently through
ssl_bump splice all
# 6) Allow all HTTP traffic
http_access allow all
# 7) Send out all traffic to Internet via given IP address
tcp_outgoing_address 10.3.19.150
-----------
*# iptables -vnL*Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1467 121K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 59 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 8 ctstate NEW
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
83243 15M APP_RULES all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate NEW
83243 15M OS_RULES all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate NEW
15 3195 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
64 3840 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- wlan1 wlan1 0.0.0.0/0
0.0.0.0/0
7 651 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
Chain OUTPUT (policy ACCEPT 915 packets, 82175 bytes)
pkts bytes target prot opt in out source
destination
Chain APP_RULES (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
Chain DEV_RULES (2 references)
pkts bytes target prot opt in out source
destination
2 120 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1534
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:2345
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1534
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:2345
Chain EXTERNAL_RULES (2 references)
pkts bytes target prot opt in out source
destination
83158 15M DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INTERNAL_RULES (2 references)
pkts bytes target prot opt in out source
destination
4 269 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
Chain OS_RULES (1 references)
pkts bytes target prot opt in out source
destination
85 7424 DEV_RULES all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 DEV_RULES all -- wlan1 * 0.0.0.0/0
0.0.0.0/0
83 7304 INTERNAL_RULES all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 INTERNAL_RULES all -- wlan1 * 0.0.0.0/0
0.0.0.0/0
83158 15M EXTERNAL_RULES all -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 EXTERNAL_RULES all -- wlan0 * 0.0.0.0/0
0.0.0.0/0
*------------------*
*# iptables -vnL -t nat*Chain PREROUTING (policy ACCEPT 55227 packets,
10M bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 10.3.19.150
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 10.3.19.150
0.0.0.0/0 tcp dpt:443
21 1260 REDIRECT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443 redir ports 3129
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain INPUT (policy ACCEPT 4 packets, 508 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 8 packets, 532 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * eth1 192.168.168.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * eth1 192.168.192.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * wlan0 192.168.168.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * wlan0 192.168.192.0/24
0.0.0.0/0
29 1372 MASQUERADE all -- * * 0.0.0.0/0
0.0.0.0/0
--------------
--
Budimir Miljković BSc E | He
Senior Development Engineer
Civil Construction Field Systems
Trimble
11-17 Birmingham Drive, Christchurch, Canterbury, 8024
New Zealand
+64 3 963-5550 Direct
+64 21 419-024 Mobile
www.trimble.com
This email may contain confidential information that is intended only for
the listed recipient(s) of this email. Any unauthorized review, use,
disclosure or distribution is prohibited. If you believe you have received
this email in error, please immediately delete this email and any
attachments, and inform me via reply email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20231020/038b0a18/attachment.htm>
More information about the squid-users
mailing list