[squid-users] Mikrotik and Squid Transparent

Alex Samad alex at samad.com.au
Thu Jun 25 00:45:20 UTC 2015


Hi

why this, doesn't this block all traffic getting to the squid port.
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP


what I would do to test is run tcpdump on the squid box and capture
all traffic coming to it on the squid listening port, then go to a
test machine on the eth or wireless and do a telnet google.com 80 and
see what you get on the squid box.

make sure you src and dst addresses are right. then check the squid logs.

I presume you get get to the internet from the squid box ?



On 24 June 2015 at 22:30, Dalmar <maamule10 at gmail.com> wrote:
> squid 3.3.8 and ubuntu 15.04 server
>
> 2015-06-24 15:04 GMT+03:00 Yuri Voinov <yvoinov at gmail.com>:
>>
>> Squid 3.5.x?
>>
>> 24.06.15 18:03, Dalmar пишет:
>>
>> Hi,
>> For over two weeks i am having a really headache in configuring squid
>> transparent/intercept.
>> I have tried different options and configurations but i couldn't get it to
>> work.
>> i think the problems lies in the Iptables / NAT but i really couldn't
>> solve it.
>> I have tried different iptable rules including the intercept linuxDnat -
>> sysctl configuration, but didnt work.
>>
>> # your proxy IP
>> SQUIDIP=X.X.X.X
>>
>> # your proxy listening port
>> SQUIDPORT=XXXX
>>
>>
>> iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
>> $SQUIDIP:$SQUIDPORT
>> iptables -t nat -A POSTROUTING -j MASQUERADE
>> iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
>>
>>
>> i have to say that squid works well when i configure in the client
>> browsers.
>>
>> at the mikrotik side, i am using DST-NAT chain port 80 pro TCP action
>> DST-NAT to address squidIP and Port
>>
>> i am using ubuntu server 15.04 using squid 3.3.8 and this is my
>> configuration and the errors i get:
>>
>>
>>                         ------ eth0 WAN <----- MAIN WAN Public IP Internet
>>                  MK---|
>>                            ------ eth1 LAN
>>                           |
>>                    ------ eth2 Proxy
>>
>>
>>          ------ eth0 WAN ---> Public IP --> Internet --> gets internet
>> from 24online / another Mikrotik
>>        Squid---|
>>                         ------ eth1 Proxy
>>        |
>>         ------ eth2 webmin --> For server Management
>>
>>
>> -error1: if no intercept/transparent and no iptables is configured
>> -Invalid URL -  The requested url could not be retrieved
>> -but if proxy is configured in the user browser - it works!
>>
>>
>> -error2:if intercept and iptable DNAT is configured
>> -Access Denied and in the access log TCP-MISS/403
>> -no forward proxy port configured
>>         -security alert : host header forgery detected on local=
>> SquidIP:8080 remote:mikrotikIP (local ip does not match any domain name)
>>         -warning : forwarding loop detected (x-Forwarded-for mikrotik lan
>> IP)
>>
>> squid.conf
>>
>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access allow localnet
>> http_access allow localhost
>> http_access deny all
>> http_port 8080
>> http_port 8181
>> cache_mem 2000 MB
>> cache_dir ufs /var/spool/squid3 100000 16 256
>> coredump_dir /var/spool/squid3
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
>> refresh_pattern . 0 20% 4320
>> cache_effective_user proxy
>> cache_effective_group proxy
>>
>> ----------------------------------------
>> I am really confused, can anyone guide me please.
>> Thanks in advance
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


More information about the squid-users mailing list