<p dir="ltr">Hey,</p>
<p dir="ltr">Sorry I missed understand the scenario.<br>
For now lets assume the packets are routed to the proxy properly but, lets try to understand how do you route the traffic to the proxy?</p>
<p dir="ltr">Also what is defined on the proxy http_port </p>
<p dir="ltr">Are you using artica proxy?<br>
Where do you implement the iptables rules?</p>
<p dir="ltr">Eliezer </p>
<br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">בתאריך יום ג׳, 30 ביולי 2024, 23:54, מאת Bolinhas André <<a href="mailto:andre.bolinhas@articatech.com">andre.bolinhas@articatech.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div id="m_-3461540189663313630d_1722372854819" style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12.0pt;color:#1f497d"><br>
<p dir="ltr" style="margin-top:0;margin-bottom:0">Hi</p>
<br>
<p dir="ltr" style="margin-top:0;margin-bottom:0">Do you mean user this</p>
<p dir="ltr" style="margin-top:0;margin-bottom:0">iptables -t nat -I PREROUTING -s <a href="http://192.168.60.90/32" target="_blank" rel="noreferrer">192.168.60.90/32</a> -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j DNAT --to-destination <a href="http://172.31.0.1:25976" target="_blank" rel="noreferrer">172.31.0.1:25976</a></p>
<p dir="ltr" style="margin-top:0;margin-bottom:0">iptables -t nat -I PREROUTING -s <a href="http://192.168.60.90/32" target="_blank" rel="noreferrer">192.168.60.90/32</a> -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j DNAT --to-destination <a href="http://172.31.0.1:52406" target="_blank" rel="noreferrer">172.31.0.1:52406</a></p>
<br>
<p dir="ltr" style="margin-top:0;margin-bottom:0">Instead this</p>
<p dir="ltr" style="margin-top:0;margin-bottom:0">iptables -t nat -I PREROUTING -s <a href="http://192.168.60.90/32" target="_blank" rel="noreferrer">192.168.60.90/32</a> -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 25976</p>
<p dir="ltr" style="margin-top:0;margin-bottom:0">iptables -t nat -I PREROUTING -s <a href="http://192.168.60.90/32" target="_blank" rel="noreferrer">192.168.60.90/32</a> -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 52406</p>
<br>
<p dir="ltr" style="margin-top:0;margin-bottom:0">?</p>
<p dir="ltr" style="margin-top:0;margin-bottom:0">Do I also need some kind of</p>
<p dir="ltr" style="margin-top:0;margin-bottom:0">-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT</p>
<p dir="ltr" style="margin-top:0;margin-bottom:0">?</p>
<br>
<p dir="ltr" style="margin-top:0;margin-bottom:0">Best regards</p>
<div id="m_-3461540189663313630signature-x" style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12.0pt;color:#1f497d">Sent from <a href="http://www.9folders.com/" style="text-decoration:none;color:#009bdf" target="_blank" rel="noreferrer">Nine</a></div></div><div></div><div id="m_-3461540189663313630quoted_header" style="clear:both"><hr style="border:none;height:1px;color:#e1e1e1;background-color:#e1e1e1"><div style="border:none;padding:3.0pt 0cm 0cm 0cm"><span style="font-size:11.0pt;font-family:'Calibri','sans-serif'"><b>De:</b> NgTech LTD <<a href="mailto:ngtech1ltd@gmail.com" target="_blank" rel="noreferrer">ngtech1ltd@gmail.com</a>><br><b>Enviado:</b> terça-feira, 30 de julho de 2024 14:44<br><b>Para:</b> Bolinhas André<br><b>Cc:</b> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank" rel="noreferrer">squid-users@lists.squid-cache.org</a><br><b>Assunto</b> Re: [squid-users] IPTABLES - Can't redirect HTTPS traffic to external Squid<br></span></div></div><br type="attribution"></div><br><br><p dir="ltr">Hey,</p>
<p dir="ltr">The dnat rule should be done on the squid itsef.<br>
You will need to re-route the relevant traffic over the ipsec tunnel to the squid ip.<br>
It's possible to do that over ipip or gre tunnels.</p>
<p dir="ltr">Eliezer </p>
<br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">בתאריך יום ג׳, 30 ביולי 2024, 15:41, מאת Bolinhas André <<a href="mailto:andre.bolinhas@articatech.com" target="_blank" rel="noreferrer">andre.bolinhas@articatech.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div id="m_-3461540189663313630m_-1046075832628485133nine_body_n19103a-68fb8" dir="auto" style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12.0pt;line-height:1.3;color:#000000"><div dir="auto"><p style="color:#0c0d0e;background-color:#ffffff;font-weight:400;border:0px;padding:0px;margin:0px 0px 1.1em">I have a external proxy server connected by VPN (IPSEC) to my main branch, and i'm trying to redirect all users HTTP / HTTPS traffic to this proxy.</p><div dir="auto">Scenario Users -> Gateway (Main Branch) -> IPSEC -> Squid Proxy (transparent mode)</div><p style="color:#0c0d0e;background-color:#ffffff;font-weight:400;border:0px;padding:0px;margin:0px 0px 1.1em">In my Gateway (Main Branch) I have this test iptables rule, that is forwarding all the TPC / UDP traffic to the Proxy server.</p><pre style="color:#0c0d0e;background-color:var(--highlight-bg);font-weight:400;border:0px;padding:var(--su12);margin:0px 0px calc(1.5em);width:auto;max-height:600px"><code style="color:var(--black-600);background-color:transparent;font-weight:inherit;border:0px;padding:0px;margin:0px">iptables -t nat -I PREROUTING -s 192.168.60.90 -p tcp -j DNAT --to-destination 172.31.0.1
iptables -t nat -I PREROUTING -s 192.168.60.90 -p udp -j DNAT --to-destination 172.31.0.1
</code></pre><div dir="auto">In Squidd Proxy server I have the followed rules</div><pre style="color:#0c0d0e;background-color:var(--highlight-bg);font-weight:400;border:0px;padding:var(--su12);margin:0px 0px calc(1.5em);width:auto;max-height:600px"><code style="color:var(--black-600);background-color:transparent;font-weight:inherit;border:0px;padding:0px;margin:0px">iptables -t nat -I PREROUTING -s <a href="http://192.168.60.90/32" rel="noreferrer noreferrer" target="_blank">192.168.60.90/32</a> -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8081
iptables -t nat -I PREROUTING -s <a href="http://192.168.60.90/32" rel="noreferrer noreferrer" target="_blank">192.168.60.90/32</a> -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8080
</code></pre><div dir="auto">Everything is working correctly, HTTP traffic is ok, DNS are also working, the only exeption is the HTTPS traffic, I can see the HTTPS traffic inside the squid access.log but on client side I got a timeout</div><pre style="color:#0c0d0e;background-color:var(--highlight-bg);font-weight:400;border:0px;padding:var(--su12);margin:0px 0px calc(1.5em);width:auto;max-height:600px"><code style="color:var(--black-600);background-color:transparent;font-weight:inherit;border:0px;padding:0px;margin:0px">1722265740.867 1 192.168.60.90 TCP_TUNNEL/200 0 CONNECT <a href="http://cnn.com:443" rel="noreferrer noreferrer" target="_blank">cnn.com:443</a> - HIER_DIRECT/<a href="http://51.210.183.2:443" rel="noreferrer noreferrer" target="_blank">51.210.183.2:443</a> - mac="00:00:00:00:00:00" webfilterpolicy:%200%0D%0A exterr="-|-"
</code></pre><div dir="auto">Anyone can help me to understant if I'm missing so iptable rule to handle the HTTPS traffic?</div></div><div dir="auto"><br></div><div id="m_-3461540189663313630m_-1046075832628485133nine-sign-n19103a-68fb8" dir="auto"><div dir="auto">Sent from <a style="text-decoration:none;color:#009bdf" href="http://www.9folders.com/" rel="noreferrer noreferrer" target="_blank">Nine</a></div></div></div></div>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" rel="noreferrer noreferrer" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>
</blockquote></div>