[squid-users] 4.0.21 Ssl bump access denied

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 13 04:04:49 UTC 2017 

On 13/11/17 01:25, snable snable wrote:
> Access.log brings for www.heise.de on https
> 
> NECT 192.168.1.222:443 <http://192.168.1.222:443> - HIER_NONE/- -
> 1510489280.731      2 192.168.1.200 NONE/200 0 CO
> NNECT 192.168.1.222:443 <http://192.168.1.222:443> - HIER_NONE/- -
> 1510489280.836      1 192.168.1.200 TCP_MISS/503
> 4691 GET https://www.heise.de/ - ORIGINAL_DST/192
> .168.1.222 text/html


ORIGINAL_DST is the server IP your system NAT tables say the client is 
connecting to.

So the above means the NAT system is intercepting the client at 
192.168.1.200 connecting to the webserver at 192.168.1.222:443.


> 
> Am 12.11.2017 12:46 schrieb "snable snable" wrote:
> 
>         hey
> 
>         thanks:
> 
>         i post in detail
> 
>         i have an openwrt box. clients are attached there to the
>         192.168.2.0/24 <http://192.168.2.0/24> network via nat. i
>         attached the router as a wan device on my 192.168.1.0/24
>         <http://192.168.1.0/24> with 192.168.1.254 as my internet gateway.
> 
>         i have a squidbox  with squid 4 running on ports 3128 and 3129
>         and 3130.
>           i forward the traffic from the openwrt via:
> 
>         iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
>           --dport 80 -s 192.168.1.222
>         iptables -t mangle -A PREROUTING -j MARK --set-ma
>         rk 3 -p tcp --dport 80
>         iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
>           --dport 443 -s 192.168.1.222
>         iptables -t mangle -A PREROUTING -j MARK --set-ma
>         rk 3 -p tcp --dport 443
>         ip rule add fwmark 3 table 2
>         ip route add default via 192.168.1.222 dev eth0.2
>           table 2
> 
>         on the squid box redirected it via
> 
>         iptables -A PREROUTING -t nat -i eth0 -p tcp --dp
>         ort 443 -j REDIRECT --to-port 3129
>         iptables -A PREROUTING -t nat -i eth0 -p tcp --dp
>         ort 80 -j REDIRECT --to-port 3128
> 

There are no rules above preventing the NAT system intercepting the 
Squid outbound traffic.

Please see the iptables rules documented at: 
<https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>.

-j ACCEPT in the *mangle* table only means iptables does not do your 
MARKing. It has no effect on these NAT table operations.

Amos

More information about the squid-users mailing list