<div dir="ltr"><div><div><div>Hi <br><br></div>I got it half working My chat is working I can search google, but I cant browse websites ,<br><br></div>My configuration now<br><br>acl mynet src 116.72.152.37 <a href="http://192.168.0.0/16">192.168.0.0/16</a> # RFC1918 possible internal network<br>acl SSL_ports port 443<br>acl Safe_ports port 80 # http<br>acl Safe_ports port 21 # ftp<br>acl Safe_ports port 443 # https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl Safe_ports port 1025-65535 # unregistered ports<br>acl Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br>acl CONNECT method CONNECT<br>http_access deny CONNECT !SSL_ports<br>http_access allow localhost manager<br>http_access deny manager<br>http_access allow mynet<br>http_access allow localhost<br>http_access allow all<br>http_port 3129<br>http_port 3128 intercept<br> <br>cache_dir ufs /usr/local/cache 10000 16 256<br>coredump_dir /var/spool/squid3<br>refresh_pattern ^ftp: 1440 20% 10080<br>refresh_pattern ^gopher: 1440 0% 1440<br>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880<br>refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200<br>refresh_pattern . 0 20% 4320<br><br><br><br></div>Iptables:<br><br>root@squid:/home/squid# iptables -t nat -L -n -v<br>Chain PREROUTING (policy ACCEPT 77928 packets, 4272K bytes)<br> pkts bytes target prot opt in out source destination <br> 290 17312 DNAT tcp -- eth1 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:80 to:<a href="http://192.168.0.200:3128">192.168.0.200:3128</a><br> 0 0 REDIRECT tcp -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:80 redir ports 3128<br><br>Chain INPUT (policy ACCEPT 75943 packets, 4074K bytes)<br> pkts bytes target prot opt in out source destination <br><br>Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination <br><br>Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination <br> 847 56477 MASQUERADE all -- * eth0 <a href="http://192.168.0.0/24">192.168.0.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jun 4, 2015 at 12:13 PM, Reet Vyas <span dir="ltr"><<a href="mailto:reet.vyas28@gmail.com" target="_blank">reet.vyas28@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi,<br><br></div>I changed the iptables still no luck :( but I am using squid 3.3 only can I didn't understand why you have configured 3129 ,3130 and 3128 port?<br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 3, 2015 at 1:04 PM, Klavs Klavsen <span dir="ltr"><<a href="mailto:kl@vsen.dk" target="_blank">kl@vsen.dk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Your client needs to use your squid server as default gateway.<br>
<br>
And then you need the iptables rules I wrote about to direct traffic into squid for certain ports.<span><br>
<br>
Reet Vyas wrote on 06/03/2015 08:50 AM:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>
Hi<br>
<br>
Thanks for reply. As of now we don't have router I have directly<br>
connected my machine to internet and other to LAN and I have configured<br>
client machine ubuntu to test squid which is in switch where other users<br>
are connected using gateway of router 192.168.0.1.<br>
<br>
I read your valuable suggestions, but I still confused with IPtables and<br>
squid 3.3 setting ,transparent and intercept options .<br>
<br>
root@squid:/home/squid# ip addr show<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN<br>
group default<br>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br></span>
inet <a href="http://127.0.0.1/8" target="_blank">127.0.0.1/8</a> <<a href="http://127.0.0.1/8" target="_blank">http://127.0.0.1/8</a>> scope host lo<span><br>
valid_lft forever preferred_lft forever<br>
inet6 ::1/128 scope host<br>
valid_lft forever preferred_lft forever<br>
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast<br>
state UP group default qlen 1000<br>
link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff<br>
inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0<br>
valid_lft forever preferred_lft forever<br>
inet6 fe80::21e:67ff:fecf:5974/64 scope link<br>
valid_lft forever preferred_lft forever<br>
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast<br>
state UP group default qlen 1000<br>
link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff<br></span>
inet <a href="http://192.168.0.200/24" target="_blank">192.168.0.200/24</a> <<a href="http://192.168.0.200/24" target="_blank">http://192.168.0.200/24</a>> brd 192.168.0.255<span><br>
scope global eth1<br>
valid_lft forever preferred_lft forever<br>
inet6 fe80::21e:67ff:fecf:5975/64 scope link<br>
valid_lft forever preferred_lft forever<br>
<br>
root@squid:/home/squid# ip -4 route show<br>
default via 116.72.152.1 dev eth0<br>
</span><a href="http://116.72.152.0/22" target="_blank">116.72.152.0/22</a> <<a href="http://116.72.152.0/22" target="_blank">http://116.72.152.0/22</a>> dev eth0 proto kernel scope<br>
link src 116.72.152.37<br>
<a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" target="_blank">http://192.168.0.0/24</a>> dev eth1 proto kernel scope<span><br>
link src 192.168.0.200<br>
<br>
<br>
<br>
<br>
<br>
To use transparent/intercept what I have to set in my config file<br>
http_port 3128 intercept or transparent<br>
<br>
and Iptables rules , I have tried this rules<br>
<br>
<a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect" target="_blank">http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect</a><br>
<br>
But not working<br>
<br>
Can you please tell me the firewall rules and let me know why my<br>
firewall rules are not working.<br>
<br>
On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen <<a href="mailto:kl@vsen.dk" target="_blank">kl@vsen.dk</a><br></span><span>
<mailto:<a href="mailto:kl@vsen.dk" target="_blank">kl@vsen.dk</a>>> wrote:<br>
<br>
Amos Jeffries wrote on 06/02/2015 04:34 PM:<br>
<br>
On 3/06/2015 1:20 a.m., Klavs Klavsen wrote:<br>
<br>
I have this in my squid server for it to work:<br>
<br>
<br>
The key words there are ... *in my Squid server*<br>
<br>
indeed :)<br>
<br>
<br>
NOTE to Klavs:<br>
loading the "multiport" kernel module seems overkill for a<br>
single-port<br>
match.<br>
<br>
it's puppets firewall module.. haven't had enough time to fix that<br>
module :)<br>
<br>
<br>
FYI: DONT_VERIFY_PEER, "always_direct allow all", and<br>
"slproxy_cert_error allow all" have not been good ideas since 3.2.<br>
dont-verify actually inhibits the Mimic functions which give<br>
server-first bumping most of its usefulness.<br>
<br>
Thank you for those tips.<br>
<br>
--<br>
Regards,<br></span>
Klavs Klavsen, GSEC - <a href="mailto:kl@vsen.dk" target="_blank">kl@vsen.dk</a> <mailto:<a href="mailto:kl@vsen.dk" target="_blank">kl@vsen.dk</a>> -<span><br>
<a href="http://www.vsen.dk" target="_blank">http://www.vsen.dk</a> - Tlf. 61281200<br>
<br>
"Those who do not understand Unix are condemned to reinvent it, poorly."<br>
--Henry Spencer<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br></span>
<mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><span><br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
</span></blockquote><div><div>
<br>
<br>
-- <br>
Regards,<br>
Klavs Klavsen, GSEC - <a href="mailto:kl@vsen.dk" target="_blank">kl@vsen.dk</a> - <a href="http://www.vsen.dk" target="_blank">http://www.vsen.dk</a> - Tlf. 61281200<br>
<br>
"Those who do not understand Unix are condemned to reinvent it, poorly."<br>
--Henry Spencer<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>