[squid-users] Squid not working properly ...
Bud Miljkovic
bud_miljkovic at trimble.com
Wed Oct 18 03:32:21 UTC 2023
I have now made some changes based on suggestions from the community and
would like a second look from the more experienced people.
Here is my squid configuration file:
----------------
visible_hostname ctct-r2
# 2) Initialize SSL database first
sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
# 3) An ACL named 'whitelist'
acl whitelist dstdomain '/etc/squid/whitelist.ota'
# 4) Allow whitelisted URLs through
http_access allow whitelist
# 5) Listen to incoming HTTP traffic
http_port 3128
# 6) Block the rest
http_access deny all
# 7) Listen for incoming HTTPS traffic and intercept it
https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
# 8) Pass the SSL (HTTPS) traffic transparently through
ssl_bump splice all
# 9) Send out all HTTPS traffic to destination server via given IP address
tcp_outgoing_address 10.3.19.150
-------------------
And here are the iptables' settings:
NAT table:
# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 9094 packets, 1823K bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 10.3.19.150
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 10.3.19.150
0.0.0.0/0 tcp dpt:443
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443 redir ports 3129
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain INPUT (policy ACCEPT 1 packets, 70 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 9 packets, 627 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 9 packets, 627 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * eth1 192.168.168.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * eth1 192.168.192.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * wlan0 192.168.168.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * wlan0 192.168.192.0/24
0.0.0.0/0
------------------------------
Mangle table:
# iptables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 12117 packets, 2382K bytes)
pkts bytes target prot opt in out source
destination
16 960 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
Chain INPUT (policy ACCEPT 11861 packets, 2319K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 451 packets, 47694 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 451 packets, 47694 bytes)
pkts bytes target prot opt in out source
destination
-----------------------------
Routing table:
# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
3843 304K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 59 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 8 ctstate NEW
33 2285 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
91160 17M APP_RULES all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate NEW
91160 17M OS_RULES all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate NEW
15 3195 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
75 4508 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- wlan1 wlan1 0.0.0.0/0
0.0.0.0/0
7 739 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
Chain OUTPUT (policy ACCEPT 523 packets, 54506 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * eth1 10.3.19.150
0.0.0.0/0 <<<--------------
Chain APP_RULES (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
Chain DEV_RULES (2 references)
pkts bytes target prot opt in out source
destination
6 360 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1534
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:2345
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1534
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:2345
Chain EXTERNAL_RULES (2 references)
pkts bytes target prot opt in out source
destination
90961 17M DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INTERNAL_RULES (2 references)
pkts bytes target prot opt in out source
destination
95 5676 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
5 1592 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
1 328 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:68
2 120 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
Chain OS_RULES (1 references)
pkts bytes target prot opt in out source
destination
199 15779 DEV_RULES all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 DEV_RULES all -- wlan1 * 0.0.0.0/0
0.0.0.0/0
193 15419 INTERNAL_RULES all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 INTERNAL_RULES all -- wlan1 * 0.0.0.0/0
0.0.0.0/0
90961 17M EXTERNAL_RULES all -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 EXTERNAL_RULES all -- wlan0 * 0.0.0.0/0
0.0.0.0/0
------------------------------------------------
I am now getting something related to my testing expectation but there
problems
like following:
```
15:05:58.464105 IP (tos 0x0, ttl 64, id 33640, offset 0, flags [DF], proto
UDP (17), length 70)
10.3.19.150.55834 > 10.3.30.20.domain: [udp sum ok] 31312+ A?
api.globalota.limios.net. (42)
....
15:05:58.810877 IP (tos 0xc0, ttl 64, id 32951, offset 0, flags [none],
proto ICMP (1), length 209)
10.3.19.150 > 10.3.0.124: ICMP 10.3.19.150 udp port 55834 unreachable,
length 189
------------------------------------- Any hint would be appreciated
--------------------
Also, there is a configuration in the chain OUTPUT policy marked with the
"<<<-------------" string above,
which I am not sure about.
Cheers,
Buda
--
11-17 Birmingham Drive, Christchurch, Canterbury, 8024
New Zealand
+64 3 963-5550 Direct
+64 21 419-024 Mobile
www.trimble.com
This email may contain confidential information that is intended only for
the listed recipient(s) of this email. Any unauthorized review, use,
disclosure or distribution is prohibited. If you believe you have received
this email in error, please immediately delete this email and any
attachments, and inform me via reply email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20231018/e3981bdb/attachment-0001.htm>
More information about the squid-users
mailing list