Hi Eliezer,
This is a Ubuntu Trusty 14.04 64 bits, the package is from the APT
repository and there is just one network in both the client and server
side. My aim is to redirect al the outgoing client traffic to the port
3128 on a remote server. So I initially did 2 steps as far as iptables
config goes:
On the client side: iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT
--to-destination SQUIDIP:3128
On the server side: iptables -I INPUT -p tcp -d SQUIDIP --dport 3128 -j
ACCEPT
I tried adding this rule:
iptables -t nat -I PREROUTING --match owner --uid-owner proxy -p tcp
--dport 3128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
But I get a warning like this:
[707317.691686] ip_tables: owner match: used from hooks PREROUTING, but
only valid from OUTPUT/POSTROUTING
However, there's a thing I don't get: When the squid server receives
packets from the clients, they go directly to port 3128. Why should
squid3 also send requests to itself on the same port? Shouldn't they be
redirected to the proper destination?
I also tried disabling iptables (leaving all the chains empty, so the
3128 port is also opened) and still happens the same. Weird...
Any hints?
Thanks!
El 16/07/2014 14:57, Eliezer Croitoru escribió:
> Hey Nicolas,
>
> Can we got from step 0 please?
> What OS are you running?
> Is it a self compiled squid or from the OS repository?
> do you have more then one network interface on this machine?
> What is the network scheme?
> If it's a CentOS machine, can you run this script on it?
> http://www1.ngtech.co.il/squid/basic_data.sh
>
> The main issue you have is a looping or wrong redirection.
> You need to differentiate any local traffic coming from the local
> machine and from squid process to other users and other machines.
> depends on your OS you should have an iptables module of owner matching.
> you should add it like this:
> "iptables -t nat -I PREROUTING --match owner --uid-owner
> squid_user_account_name_or_number_id -p tcp --dport 80 -m conntrack
> --ctstate NEW,ESTABLISHED -j ACCEPT"
>
> This should solve most of your issues when using the proper intercept
> port.
> In a case you are trying to reach another destination ports you should
> add a special rule to ACCEPT like in the example by owner id and using
> the other port.
>
> Eliezer
>
> On 07/15/2014 10:09 PM, Nicolás wrote:
>> Hi there!
>>
>> It's been years I haven't played around with squid so I wanted to make a
>> simple configuration just to see whether I remember the basic things,
>> and I found two problems:
>>
>> I'm running:
>>
>> # squid3 -v
>> Squid Cache: Version 3.3.8
>>
>> 1) My configuration is the default that the package provides, I just
>> added another http_port, so now I got:
>> http_port 3128
>> http_port 3127 intercept
>>
>> Afterwards, I setup a REDIRECT iptables rule to make anything
>> coming to port 8080 be redirected to one of these 2 ports. If I redirect
>> it to port 3128, everything works fine, squid actually behaves as a
>> transparent proxy applying the http_access and acl rules correctly. But
>> if I redirect it to port 3127, any request results in a 111 Connection
>> refused error. This is the only one rule in my iptables, so it cannot be
>> related to some rules misconfiguration.
>>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080
>> -j REDIRECT --to-ports 312X
>>
>> I enabled debugging via the -d flag, there's absolutely nothing
>> regarding to these requests. The access log shows the request like this:
>>
>> 1405450438.913 0 origin.ip TCP_MISS/503 3487 GET
>> http://www.devels.es/ - HIER_DIRECT/machine.public.ip text/html
>>
>> So at this point, my questions are 2:
>>
>> 1.1) What could be causing this behavior?
>> 1.2) If the default redirect port (3128) works as a transparent
>> proxy (intercept), then what's the concept difference between both
>> configurations?
>>
>> 2) There are some websites using SSL that I cannot reach using squid,
>> resulting in a 110 Connection timed out error. One of them is Facebook:
>>
>> pi_at_rpi ~ $ telnet machine.public.ip 8080
>> Trying machine.public.ip...
>> Connected to machine.public.ip.
>> Escape character is '^]'.
>>
>> CONNECT www.facebook.com:443
>> HTTP/1.1 503 Service Unavailable
>> Server: squid/3.3.8
>> Mime-Version: 1.0
>> Date: Tue, 15 Jul 2014 19:00:23 GMT
>> Content-Type: text/html
>> Content-Length: 3085
>> X-Squid-Error: ERR_CONNECT_FAIL 110
>> Vary: Accept-Language
>> Content-Language: en
>>
>> [...]
>>
>> <p id="sysmsg">The system returned: <i>(110) Connection timed
>> out</i></p>
>>
>> <p>The remote host or network may be down. Please try the request
>> again.</p>
>>
>> [...]
>> Connection closed by foreign host.
>>
>> However, from the server which hosts squid, I can make a wget or
>> curl request to facebook. I even installed the same version of squid on
>> a local virtual machine over my computer just to test and it works,
>> replicating exactly the same both squid and iptables config. What could
>> be the cause of this?
>>
>> Thanks for the help!
>>
>> Regards,
>>
>> Nicolás
>
Received on Wed Jul 16 2014 - 14:56:51 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 16 2014 - 12:00:18 MDT