Re: [squid-users] Re: Squid transparent proxy with one nic access denied problem.

Hello!

I repeat my exact configuration:

Openwrt router (192.168.1.1)
##############################################################
# permit Squid box out to the Internet
iptables -t mangle -A PREROUTING -p tcp --dport 80 -s 192.168.1.20 -j ACCEPT

# mark everything else on port 80 to be routed to the Squid box
iptables -t mangle -A PREROUTING -i br-lan -p tcp --dport 80 -j MARK
--set-mark 2
iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT

# NP: Ensure that traffic from inside the network is allowed to loop
back inside again.
iptables -t filter -A FORWARD -i br-lan -o br-lan -p tcp --dport 80 -j
ACCEPT

# interface facing clients
CLIENTIFACE= br-lan

# arbitrary mark used to route packets by the firewall. May be anything
from 1 to 64.
FWMARK= 2

cat /etc/iproute2/rt_tables
echo "201 proxy" >> /etc/iproute2/rt_tables
ip rule add fwmark 2 table proxy
ip route add default via 192.168.1.20 table proxy
##############################################################

ubuntu - squid server
##############################################################
sudo iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j
ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT
--to-port 3128
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j DROP

****sysctl.conf*****

 # Controls IP packet forwarding
net.ipv4.ip_forward = 1
 # Controls source route verification
 net.ipv4.conf.default.rp_filter = 0
 # Do not accept source routing
 net.ipv4.conf.default.accept_source_route = 0
**********************

****squid.conf*****
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl squid-prime dstdomain "/etc/squid3/squid-prime.acl"
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny squid-prime
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 192.168.1.20:3128 intercept
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
dns_nameservers 8.8.8.8
**********************
##############################################################

I have even reinstalled openwrt because I had a feeling that it had
something to do with the version I had but nothing changed.
When I do
ip rule add fwmark 2 table proxy
ip route add default via 192.168.1.20 table proxy
no connection to any websites can be made.
The squid access.log is empty.
If I do an DNAT only, sending everything going to port 80 ( except from
192.168.1.20) to the squid server, the access log fills up. If I follow
the steps I that I describe in the openwrt configuration above, nothing
happens as I said.
I am thinking of reverting back to ubuntu 12.04..
I understand the rules that I apply, they seem logical to me but for
some reason they don't work as expected.
Do you have any other clues? Thank you!

On 20/2/2014 11:58 πμ, Amos Jeffries wrote:
> On 20/02/2014 9:59 a.m., Spyros Vlachos wrote:
>> Hello again! Thank you for your support. I am a little bit frustrated
>> but I managed to test it again.
>> Long story short, I tried every combination from the suggested links to
>> no avail.
>>
>> For the router I did the following as suggested:
>> ( I tried using lan, br-lan, eth0, eth0.1 as the nic's name because it
>> is not obvious to me which one is the correct.)
>> ################################################################
>> # permit Squid box out to the Internet
>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -s 192.168.1.20 -j ACCEPT
>>
>>
>> # mark everything else on port 80 to be routed to the Squid box
>> iptables -t mangle -A PREROUTING -i lan -p tcp --dport 80 -j MARK
>> --set-mark 2
>> iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
>>
>>
>> # NP: Ensure that traffic from inside the network is allowed to loop
>> back inside again.
>> iptables -t filter -A FORWARD -i lan -o lan -p tcp --dport 80 -j ACCEPT
>>
>>
>> echo "201 proxy" >> /etc/iproute2/rt_tables
>> ip rule add fwmark 2 table proxy
>> ip route add default via 192.168.1.20 table proxy
>> #################################################################
>>
>> For the squid server I did both of the following ( with a service
>> networking restart between them )
>>
>> #################################################################
>>
>> # your proxy IP
>> SQUIDIP=192.168.1.20
>>
>> # your proxy listening port
>> SQUIDPORT=3128
>>
>>
>> iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
>> $SQUIDPORT
>> iptables -t nat -A POSTROUTING -j MASQUERADE
>> iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
>>
>> #################################################################
>>
>> And the next trial
>>
>> #################################################################
>> # your proxy IP
>> SQUIDIP=192.168.1.20
>>
>> # your proxy listening port
>> SQUIDPORT=3128
>>
>>
>> sudo iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
>> sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
>> --to-destination $SQUIDIP:$SQUIDPORT
>> sudo iptables -t nat -A POSTROUTING -j MASQUERADE
>> sudo iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
>>
>> # Controls IP packet forwarding
>> net.ipv4.ip_forward = 1
>>
>> # Controls source route verification
>> net.ipv4.conf.default.rp_filter = 0
>>
>> # Do not accept source routing
>> net.ipv4.conf.default.accept_source_route = 0
>
> These sysctl settings should be in *both* DNAT and REDIRECT setups of Squid.
>
> Also if you have a recent kernel check that forwarding setting is being
> applied. I found my 3.9+ kernels ignoring or somehow overriding the
> sysctl config file value.
>
>> #################################################################
>>
>>
>> I kept getting connection refused ( no squid message) on the browser and
>> I had nothing in the access logs.
>> tcpdump on port 3128 showed nothing.
>
> Of course. The port 3128 is an internal mapping in the squid box NAT
> system. There are no packets goign over teh network anywhere with that
> port in them so tcpdump has nothing to show.
>
> What you should expect is to see packets destined to some
> non192.168.1.20 machine the Internet on port _80_ arriving and leaving
> the Squid box.
>
> Amos
>
>>
>> Thank you again!
>> Spyros
>>
>>
>>
>> On 18/2/2014 10:30 μμ, Niki Gorchilov wrote:
>>> Second NIC is unnecessary.
>>>
>>> Better go the way Amos suggested - do a policy based routing on
>>> OpenWRT (http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute)
>>> and traffic interception on Linux
>>> (http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat or
>>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect).
>>>
>>> Best,
>>> Niki
>>>

-- 
*Spyros Vlachos*