Re: [squid-users] Squid 3 proxy server (non transparent) - Deny Google Talk Port

On Tue, 30 Jun 2009 11:53:03 +1000, Johannes Sidarta <jo.sidarta_at_gmail.com>
wrote:
> Hi all,
> At the moment I'm using 2 NIC (1 for external connected to ADSL modem
> / router) and 1 for internal network.
> External ethernet = eth0 (192.168.1.4)
> Internal ethernet = eth1 (192.168.0.4)
> Client IP = 192.168.0.20
>
> I've installed Squid3 proxy server and use non-transparent mode. I've
> opened port 5222 (for GChat). Also configure Google Chat software to
> use HTTP Proxy: 192.168.0.4:8090; I still unable to connect to Google
> Chat.
>
> This is snippet of my squid.conf:
> http_port 8090
> ...
> logformat LOGS (%{%d/%b %H:%M:%S}tl) (%Ss/%Hs/%Sh) (%>a=>%la) (%ru)
> %mt-%<stbytes %trms
> access_log /var/log/squid3/access.log LOGS
> ...
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl InternalNetworks src 192.168.0.0/24
> ...
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 5222 # GChat
> acl Safe_ports port 5050 # YM
> acl Safe_ports port 11004 # YM
> acl Safe_ports port 1863 # MSN
> ...
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access allow InternalNetworks
> ...
> htcp_access deny all
> http_access deny all
>
> My access log:
> (30/Jun 07:23:13) (TCP_DENIED/403/NONE) (192.168.0.20=>192.168.0.4)
> (talk.l.google.com:5222) text/html-2008bytes 0ms
> (30/Jun 07:23:13) (TCP_DENIED/403/NONE) (192.168.0.20=>192.168.0.4)
> (talk3.l.google.com:5222) text/html-2011bytes 0ms
> (30/Jun 07:23:13) (TCP_DENIED/403/NONE) (192.168.0.20=>192.168.0.4)
> (talk2.l.google.com:5222) text/html-2011bytes 0ms
> (30/Jun 07:23:13) (TCP_DENIED/403/NONE) (192.168.0.20=>192.168.0.4)
> (talk1.l.google.com:5222) text/html-2011bytes 0ms
> (30/Jun 07:23:13) (TCP_DENIED/403/NONE) (192.168.0.20=>192.168.0.4)
> (talk4.l.google.com:5222) text/html-2011bytes 0ms
> (30/Jun 07:23:13) (TCP_DENIED/403/NONE) (192.168.0.20=>192.168.0.4)
> (gmail.com:5222) text/html-1984bytes 0ms
>
> Can anyone give me a hint on why squid still disable port 5222 even
> after I open it? (please note, I've restarted the squid3 server but
> the problem still exists)
>
> I believe my iptable rules are okay, because Squid can detect requests
> from my client ip (192.168.0.20 => 192.168.0.4)
>
> Thanks
>
> Johannes

Firstly, check that the CONNECT method is also allowed to the same port
(usually by adding it to SSL_Ports ACL as well).

If that is not working either, it is at this point that we direct you to
the cache.log (you do have it enabled and "debug_options ALL,1" right?)

Depending on your version of GoogleTalk you may expect to see such entries
as "Unknown Method _CONNECT" where _ may be a strange binary character or
two which is illegal in readable-text HTTP.

If you are seeing such entries then you need to change your GoogleTalk
version and try again. I'm not sure if it works with later or earlier
versions, nobody known to me has solved this binary issue. So good luck!

Amos
Received on Tue Jun 30 2009 - 03:21:54 MDT