[squid-users] IPTABLES - Can't redirect HTTPS traffic to external Squid

Tue Jul 30 21:27:11 UTC 2024

Hey,

Sorry I missed understand the scenario.
For now lets assume the packets are routed to the proxy properly but, lets
try to understand how do you route the traffic to the proxy?

Also what is defined on the proxy http_port

Are you using artica proxy?
Where do you implement the iptables rules?

Eliezer

בתאריך יום ג׳, 30 ביולי 2024, 23:54, מאת Bolinhas André ‏<
andre.bolinhas at articatech.com>:

>
> Hi
>
> Do you mean user this
>
> iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport
> 443 -m comment --comment ArticaSquidTransparent -j DNAT --to-destination
> 172.31.0.1:25976
>
> iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport
> 80 -m comment --comment ArticaSquidTransparent -j DNAT --to-destination
> 172.31.0.1:52406
>
> Instead this
>
> iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport
> 443 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 25976
>
> iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport
> 80 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 52406
>
> ?
>
> Do I also need some kind of
>
> -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
> ?
>
> Best regards
> Sent from Nine <http://www.9folders.com/>
> ------------------------------
> *De:* NgTech LTD <ngtech1ltd at gmail.com>
> *Enviado:* terça-feira, 30 de julho de 2024 14:44
> *Para:* Bolinhas André
> *Cc:* squid-users at lists.squid-cache.org
> *Assunto* Re: [squid-users] IPTABLES - Can't redirect HTTPS traffic to
> external Squid
>
>
>
> Hey,
>
> The dnat rule should be done on the squid itsef.
> You will need to re-route the relevant traffic over the ipsec tunnel to
> the squid ip.
> It's possible to do that over ipip or gre tunnels.
>
> Eliezer
>
> בתאריך יום ג׳, 30 ביולי 2024, 15:41, מאת Bolinhas André ‏<
> andre.bolinhas at articatech.com>:
>
>> I have a external proxy server connected by VPN (IPSEC) to my main
>> branch, and i'm trying to redirect all users HTTP / HTTPS traffic to this
>> proxy.
>> Scenario Users -> Gateway (Main Branch) -> IPSEC -> Squid Proxy
>> (transparent mode)
>>
>> In my Gateway (Main Branch) I have this test iptables rule, that is
>> forwarding all the TPC / UDP traffic to the Proxy server.
>>
>> iptables -t nat -I PREROUTING -s 192.168.60.90 -p tcp -j DNAT --to-destination 172.31.0.1
>> iptables -t nat -I PREROUTING -s 192.168.60.90 -p udp -j DNAT --to-destination 172.31.0.1
>>
>> In Squidd Proxy server I have the followed rules
>>
>> iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8081
>> iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8080
>>
>> Everything is working correctly, HTTP traffic is ok, DNS are also
>> working, the only exeption is the HTTPS traffic, I can see the HTTPS
>> traffic inside the squid access.log but on client side I got a timeout
>>
>> 1722265740.867      1 192.168.60.90 TCP_TUNNEL/200 0 CONNECT cnn.com:443 - HIER_DIRECT/51.210.183.2:443 - mac="00:00:00:00:00:00" webfilterpolicy:%200%0D%0A exterr="-|-"
>>
>> Anyone can help me to understant if I'm missing so iptable rule to handle
>> the HTTPS traffic?
>>
>> Sent from Nine <http://www.9folders.com/>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://lists.squid-cache.org/listinfo/squid-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240731/2f704b46/attachment-0001.htm>