[squid-users] Re: access denied from winetbox on 2014-07-03 (squid-users)

From: winetbox <winetbox_at_gmail.com>
Date: Thu, 3 Jul 2014 20:19:43 -0700 (PDT)

> This is because of the fix for CVE-2009-0801. NAT on a separate machine
> has never actually worked properly even in 2.7. The fix we have in
> current Squid involves verifying the TCP destination IP, which also
> enforces that NAT is performed on the Squid machine instead of remotely.
> You need to use policy routing or similar mechanisms on the router to
> get the packets to the Squid machine unchanged for interception to work.
>
> Amos

on the contrary, my setup was working perfectly on those versions, because
i'm not using the same machine for NAT routing. for routing, i leave
everything on mikrotik, what squid do is only accept redirected request from
mikrotik.

my setup is

A >> B >> C >> D >> E

A. CLIENT ( 192.168.0.0/24 )
B. mikrotik router ( 192.168.0.253, 192.168.14.1 )
C. dstnat src-address=192.168.0.0/24 dst-port 80 redirect to squid (
to-addresses=192.168.14.2 to-ports=3129)
D. squid does request internet via 192.168.14.1 (but this time won't get
into dst-nat redirect, because the dstnat was only specified request from
192.168.0.0/24)
E. directly route to internet gateway

i have been using this setup for several years without any problem, but few
days ago i decided to test the latest stable squid3, and kind of surprised
getting these changes.
is there any way i can do the same setup again on this latest version
without having to do those iptables NAT?

> Hey There,
>
> We will need more information in the form of:
> Client address
> Squid Address
> Routing scheme\description
> iptables rules
> access.log output
> Is the squid box the gateway of the network?
>
> In almost all cases the denied is rightful.
>
> Eliezer

i'm not using any iptables rules as i have explained above. and no, the
squid box is not the gateway, a mikrotik is doing the job and redirect
client request(not squid) dst-port 80 and redirect to squid http_port 3129
transparent port.

i got lot of "Forwarding loop" message on cache.log, which led me to find
this link on google:
http://www.squid-cache.org/mail-archive/squid-users/201304/0051.html and
http://myconfigure.blogspot.com/2013/03/transparent-squid-332-on-ubuntu-1210.html

so, the question is the same, is there any way i can do the same setup again
on this latest version without having to do those iptables NAT?

thanks for helps

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/access-denied-tp4666619p4666633.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Received on Fri Jul 04 2014 - 03:20:26 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 04 2014 - 12:00:05 MDT