<div dir="ltr"><p>I am new to Squid and I'm trying to use it in a simple test case of a pass-all transparent proxy.</p>
<p>My configuration is:
<code>Web-browser->Local_Server{eth0/port-443->(Transparent Proxy)->port-443/eth1}->{Internet}</code></p>
<p>Squid version: 3.5.25</p>
<p>Below are the <code>squid.conf</code> file content, <code>iptables -nvL</code> and <code>iptables -nvL -t nat</code> command outputs.</p>
<p>When Squid is running, I expect to be able to browse to all websites. However, access to all websites is blocked?!</p><div><strong>squid.conf</strong> file content:</div><div><pre><code># 1) Visible hostname
visible_hostname ctct-r2
# Debugging
debug_options ALL,1 33,2 28,9
# Enable log
access_log daemon:/var/log/squid/access.log squid
# 2) Initialize SSL database
sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
# Do not use caching
# cache_dir ufs /var/volatile/log/squid/logs 100 16 256
# 3) Listen to incoming HTTP traffic
http_port 3128
# 4) Listen for incoming HTTPS traffic and intercept it
https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
# 5) Pass the SSL (HTTPS) traffic transparently through
ssl_bump splice all
# 6) Allow all HTTP traffic
http_access allow all
# 7) Send out all traffic to Internet via given IP address
tcp_outgoing_address 10.3.19.150<br>-----------<br><br></code><strong># iptables -vnL<br></strong><code>Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1467 121K ACCEPT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate RELATED,ESTABLISHED
1 59 ACCEPT icmp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> icmptype 8 ctstate NEW
0 0 ACCEPT all -- lo * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a>
0 0 DROP all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate INVALID
83243 15M APP_RULES all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate NEW
83243 15M OS_RULES all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate NEW
15 3195 REJECT udp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable
64 3840 REJECT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with tcp-reset
0 0 REJECT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- wlan1 wlan1 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a>
7 651 REJECT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-host-unreachable
Chain OUTPUT (policy ACCEPT 915 packets, 82175 bytes)
pkts bytes target prot opt in out source destination
Chain APP_RULES (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth1 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:20
0 0 ACCEPT tcp -- eth1 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:21
0 0 ACCEPT tcp -- eth1 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:80
Chain DEV_RULES (2 references)
pkts bytes target prot opt in out source destination
2 120 ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:22
0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:1534
0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:2345
0 0 ACCEPT udp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:1534
0 0 ACCEPT udp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:2345
Chain EXTERNAL_RULES (2 references)
pkts bytes target prot opt in out source destination
83158 15M DROP all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a>
Chain INTERNAL_RULES (2 references)
pkts bytes target prot opt in out source destination
4 269 ACCEPT udp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:53
0 0 ACCEPT udp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:67
0 0 ACCEPT udp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:68
0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:80
Chain OS_RULES (1 references)
pkts bytes target prot opt in out source destination
85 7424 DEV_RULES all -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a>
0 0 DEV_RULES all -- wlan1 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a>
83 7304 INTERNAL_RULES all -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a>
0 0 INTERNAL_RULES all -- wlan1 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a>
83158 15M EXTERNAL_RULES all -- eth1 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a>
0 0 EXTERNAL_RULES all -- wlan0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a>
</code><strong>------------------<br><br></strong><strong># iptables -vnL -t nat<br></strong><code>Chain PREROUTING (policy ACCEPT 55227 packets, 10M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 10.3.19.150 <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:80
0 0 ACCEPT tcp -- * * 10.3.19.150 <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:443
21 1260 REDIRECT tcp -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:443 redir ports 3129
0 0 REDIRECT tcp -- eth0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:80 redir ports 3128
Chain INPUT (policy ACCEPT 4 packets, 508 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 532 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth1 <a href="http://192.168.168.0/24">192.168.168.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a>
0 0 MASQUERADE all -- * eth1 <a href="http://192.168.192.0/24">192.168.192.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a>
0 0 MASQUERADE all -- * wlan0 <a href="http://192.168.168.0/24">192.168.168.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a>
0 0 MASQUERADE all -- * wlan0 <a href="http://192.168.192.0/24">192.168.192.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a>
29 1372 MASQUERADE all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br>--------------<br></code><strong></strong><strong></strong></pre></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Budimir Miljković BSc E | He<br>Senior Development Engineer<br>Civil Construction Field Systems<br>Trimble<br> <br>11-17 Birmingham Drive, Christchurch, Canterbury, 8024<br>New Zealand<br>+64 3 963-5550 Direct<br>+64 21 419-024 Mobile<br><br><a href="http://www.trimble.com" target="_blank">www.trimble.com</a><br><br>This email may contain confidential information that is intended only for the listed recipient(s) of this email. Any unauthorized review, use, disclosure or distribution is prohibited. If you believe you have received this email in error, please immediately delete this email and any attachments, and inform me via reply email.</div></div></div>