[squid-users] Squid as gateway
Amos Jeffries
squid3 at treenet.co.nz
Fri Jul 21 13:18:52 UTC 2017
On 21/07/17 07:07, erdosain9 wrote:
> Hi, and thank you all.
>
> Well this is the diagram.
>
>
>
> INTERNET
> +
> +
> FIREWALL (10.1.158.1/24)
> +
> +
> +
> SQUID (2 interfaces) 10.1.158.2/24
> 192.168.1.20/24
This machine called SQUID need to be configured as a router.
You mentioned the GW route for the device below, but what are the two GW
routes (10/8 gw ??? , and 192.168/16 gw ???) this SQUID machine should have?
> +
> +
> ROUTERWIFI( WAN----static ip 192.168.1.40/24 gw 192.168.1.20) LAN
> 192.168.0.1/24)
That looks okay.
But double-check that this machine is *NOT* performing NAT on any of the
outgoing packets sent to 192.168.1.20.
>
> squid config:
>
> acl red1 src 192.168.1.0/24
That permits the ROUTERWIFI machine to send traffic from itself (only)
to Squid. Such traffic should be an extreme rarity - usually just you
testing HTTP connectivity from that machine manually.
This Squid should be expecting to receive traffic from 192.168.0.0/24
machines. If you do not change this I expect you will start to see
DENIED lines being logged by Squid when you fix the packet arrival problem.
>
> acl SSL_ports port 443
> acl SSL_ports port 8443
> acl SSL_ports port 8080
> acl SSL_ports port 20000
> acl SSL_ports port 10000
> acl SSL_ports port 2083
>
> acl Safe_ports port 631 # httpCUPS
> acl Safe_ports port 85
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 8443 # httpsalt
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 8080 # edesur y otros
NP: those 8080 and 8443 are included in the 1025-65535 entry above.
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> http_access allow localhost
> http_access allow red1
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 192.168.1.20:3128
> http_port 192.168.1.20:3129 intercept
You should not have to specify any IP address here.
eg.
http_port 3128
http_port 3129 intercept
Squid will then be able to receive the NAT'd traffic no matter what
system NAT rules contain.
>
...
> #Your refresh_pattern
> refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
> ignore-private
NP: ignore-no-cache is no longer existing.
SECURITY WARNING: using ignore-no-store for images will cache Captcha
images, user avatar icons, personal content from private accounts (think
snapchat and facebook photos type of stuff).
ignore-private is not so bad in the latest Squid releases as it used
to be, but it will not cause much of a HIT ratio increase over default
behaviour either.
>
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> dns_nameservers 8.8.8.8 8.8.4.4
Use of 8.8.8.8 and 8.8.4.4 in a Squid which is intercepting traffic
causes a lot of problems - mostly in the form of "Host verify" security
alerts and major reduction in HTTP traffic caching.
To work around those problems you need a local DNS server which both
your client machines and Squid use for recursive resolving. That DNS
server can use 8.8.8.8 and 8.8.4.4 as its upstream forwarders if you
actually still need it - having your own local resolver pretty much
obsoletes all the benefits 8.8.8.8 claim to provide.
>
> -----------------------------------------------------------------------
>
> I probe this, nothing work..............
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
> iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
> 192.168.1.20:3129
> iptables -t nat -A POSTROUTING -j MASQUERADE
> iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP
>
> ------------------------------------------------------------------------------------------------------------------------------------------------
>
> iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
> iptables -t nat -A POSTROUTING -j MASQUERADE
> iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP
>
> -----------------------------------------------------------------------------------------------------------------------------------------------
>
Both of those look fine for the NAT rules on SQUID box - they only do
the NAT part, not any of the packet routing.
The problem I think is in the routing setup on the SQUID machine, and
maybe the ROUTERWIFI.
Amos
More information about the squid-users
mailing list