[squid-users] Transparent Squid Proxy Server
Klavs Klavsen
kl at vsen.dk
Tue Jun 2 13:20:03 UTC 2015
I have this in my squid server for it to work:
*mangle
:PREROUTING ACCEPT [190:618576]
:INPUT ACCEPT [190:618576]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [163:41506]
:POSTROUTING ACCEPT [166:42334]
-A PREROUTING -d $myip/32 -p tcp -m multiport --dports 3129 -m comment
--comment "002 drop squid direct traffic http - we only allow captured
traffic" -j DROP
-A PREROUTING -d $myip/32 -p tcp -m multiport --dports 3130 -m comment
--comment "002 drop squid direct traffic https - we only allow captured
traffic" -j DROP
COMMIT
# Completed on Wed Apr 1 10:28:22 2015
# Generated by iptables-save v1.4.21 on Wed Apr 1 10:28:22 2015
*nat
:PREROUTING ACCEPT [1:36]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [30:2079]
:POSTROUTING ACCEPT [30:2079]
-A PREROUTING -s $myip/32 -p tcp -m multiport --dports 80 -m comment
--comment "000 allow squid http - so its traffic does not get captured"
-j ACCEPT
-A PREROUTING -s $myip/32 -p tcp -m multiport --dports 443 -m comment
--comment "000 allow squid https - so its traffic does not get captured"
-j ACCEPT
-A PREROUTING -p tcp -m multiport --dports 80 -m comment --comment "001
capture http to squid" -j DNAT --to-destination $myip:3129
-A PREROUTING -p tcp -m multiport --dports 443 -m comment --comment "001
capture https to squid" -j DNAT --to-destination $myip:3130
COMMIT
# Completed on Wed Apr 1 10:28:22 2015
# Generated by iptables-save v1.4.21 on Wed Apr 1 10:28:22 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:184]
-A INPUT -p tcp -m multiport --ports 3129 -m comment --comment "000
allow squid http intercept" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 3130 -m comment --comment "000
allow squid https intercept" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 3128 -m comment --comment "000
allow squid proxy" -j ACCEPT
and squid conf (mind you - squid 3.4)
ssl_bump server-first all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_children 8 startup=1 idle=1
sslcrtd_program /usr/lib64/squid/ssl_crtd -s
/etc/ssl/certs/cache/ -M 4MB
https_port 3130 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
key=/etc/squid/ca.private cert=/etc/squid/ca.cert
shutdown_lifetime 3
always_direct allow all
sslproxy_cert_error allow all
http_port 3129 intercept
Reet Vyas wrote on 06/02/2015 02:31 PM:
> I am trying to configure transparent squid proxy on ubuntu 14.04 Server
> and squid 3.3 version I am using
>
> My Lan and Wan settings
>
> eth0 Link encap:Ethernet HWaddr 00:1e:67:cf:59:74
> inet addr:116.72.*.* Bcast:116.72.155.255 Mask:255.255.252.0
> inet6 addr: fe80::21e:67ff:fecf:5974/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:238950 errors:0 dropped:0 overruns:0 frame:0
> TX packets:236104 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:22219047 (22.2 MB) TX bytes:17390502 (17.3 MB)
> Interrupt:16 Memory:d0a00000-d0a20000
>
> eth1 Link encap:Ethernet HWaddr 00:1e:67:cf:59:75
> inet addr:192.168.0.200 Bcast:192.168.0.255 Mask:255.255.255.0
> inet6 addr: fe80::21e:67ff:fecf:5975/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:96965 errors:0 dropped:0 overruns:0 frame:0
> TX packets:11785 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:10764615 (10.7 MB) TX bytes:7151763 (7.1 MB)
> Interrupt:17 Memory:d0900000-d0920000
>
> my squid.conf file
>
> acl mynet src 116.72.152.37 192.168.0.0/16 <http://192.168.0.0/16> #
> RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow mynet
> http_access allow localhost
> http_access allow all
> http_port 3128
> cache_dir ufs /usr/local/cache 10000 16 256
> coredump_dir /var/spool/squid3
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200
> refresh_pattern . 0 20% 4320
>
>
> but when I use 192.168.0.200 in my client machine as gateway ...
> internet is not working and I cant see logs in access.log
>
> But when I use this IP in my browser it is working and showing logs but
> with my tplink router gateway i.e 192.168.0.1.
>
> IPTable rules :
> num target prot opt source destination
> 1 DNAT tcp -- anywhere anywhere tcp
> dpt:http to:192.168.0.200:3128 <http://192.168.0.200:3128>
> 2 REDIRECT tcp -- anywhere anywhere tcp
> dpt:http redir ports 3128
>
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> num target prot opt source destination
>
>
> Please tell me what I am missing in IPtables and squid3 configuration .
> I tried both transparent as well as intercept option but I think I have
> issue with iptables or may be configuration issue.
>
>
>
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
--
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
More information about the squid-users
mailing list