Quantcast

Squid Proxy with simple iptable rule ...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid Proxy with simple iptable rule ...

Arsalan Hussain
Dear All,

I am facing problem with iptable rules for squid 3.5.23. my simple squid configuration is attached and also iptable rules.

It works fine when i restart squid, iptables, network services but after a while it give problem of slow speed or even rejecting packets in squid access.log

 0 192.168.6.129 TAG_NONE/503 0 CONNECT s.youtube.com:443 -HIER_NONE/- -
 0 192.168.6.129 TAG_NONE/503 0 CONNECT s.youtube.com:443 - HIER_NONE/- -

when these kind entries shows in access.log websites do not open to user and they received message refused by proxy. (a routine access.log entries attached).

If somebody assists me in this problem to solve it.

With Regards,


Arsalan Hussain

If you are too lazy to plow now, don't expect a harvest, later

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

Access Log in routine.txt (37K) Download Attachment
attachment1 (1K) Download Attachment
squid ssl bump final.conf (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Proxy with simple iptable rule ...

Arsalan Hussain
Dear All,

Two things i want to share what i observed but didn't understand.

1-  it happens to HTTPS 443 websites like facebook, youtube, google mail
2-  it is squid configuration problem, because when i stop iptables the same problem arise.

as given below access.log entries.  website give Error:
1492086861.068  33508 192.168.5.178 TAG_NONE/503 0 CONNECT plus.google.com:443 - HIER_NONE/- -
1492086861.068  33506 192.168.5.178 TAG_NONE/503 0 CONNECT connect.facebook.net:443 - HIER_NONE/- -
1492086861.068  32960 192.168.5.178 TAG_NONE/503 0 CONNECT www.youtube.com:443 - HIER_NONE/- -
1492086861.068  30685 192.168.5.178 TAG_NONE/503 0 CONNECT www.centos.org:443 - HIER_NONE/- -
1492086861.068  30659 192.168.5.178 TAG_NONE/503 0 CONNECT m.addthis.com:443 - HIER_NONE/- -
1492086861.068  30658 192.168.5.178 TAG_NONE/503 0 CONNECT www.spinics.net:443 - HIER_NONE/- -


Interesting fact is that, after next refresh or open in new tab (Mozila/Chrome) , The same website gets open fine after a while.

Really confusing one because sometime working and some time problem.

On Thu, Apr 13, 2017 at 4:46 PM, Arsalan Hussain <[hidden email]> wrote:
Dear All,

I am facing problem with iptable rules for squid 3.5.23. my simple squid configuration is attached and also iptable rules.

It works fine when i restart squid, iptables, network services but after a while it give problem of slow speed or even rejecting packets in squid access.log

 0 192.168.6.129 TAG_NONE/503 0 CONNECT s.youtube.com:443 -HIER_NONE/- -
 0 192.168.6.129 TAG_NONE/503 0 CONNECT s.youtube.com:443 - HIER_NONE/- -

when these kind entries shows in access.log websites do not open to user and they received message refused by proxy. (a routine access.log entries attached).

If somebody assists me in this problem to solve it.

With Regards,


Arsalan Hussain

If you are too lazy to plow now, don't expect a harvest, later



--
With Regards,


Arsalan Hussain
Assistant Director, Networks & Information System

PRESTON UNIVERSITY
Add: Plot: 85, Street No: 3, Sector H-8/1, Islamabad, Pakistan
Cell: +92-322-5018611
UAN: (51) 111-707-808 (Ext: 443)

If you are too lazy to plow now, don't expect a harvest, later

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Proxy with simple iptable rule ...

Amos Jeffries
Administrator
In reply to this post by Arsalan Hussain
On 13/04/2017 11:46 p.m., Arsalan Hussain wrote:
> Dear All,
>
> I am facing problem with iptable rules for squid 3.5.23. my simple squid
> configuration is attached and also iptable rules.
>
> It works fine when i restart squid, iptables, network services but after a
> while it give problem of slow speed or even rejecting packets in squid
> access.log

Your squid.conf first line says that Browsers are configured to use the
proxy. That means iptables doing NAT is not relevant.

You also have a mix of a many very different and half-setup proxying
configurations in your configs.


First get that sorted out. Telling us what do you actually want the
traffic to be doing might be a good start.

What is going wrong is clear, but "I am facing a problem" does not tell
what we should advise to fix that and in this case your config is so
mixed its not easy to even make a good guess.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Proxy with simple iptable rule ...

Arsalan Hussain
Dear Sir Amos

I had reconfigured Squid 3.5 and it works fine. but i want to protect WAN interface through IPTABLES

1- can you help me chain rule of simple iptable which drop all trafic from WAN eth0 to secure and allow squid user request from LAN eth1 only.   (my WAN send flood by public and it waste my all bandwidth)

For Example:
-A INPUT -j LOG
-A INPUT -j DROP

Then allow
-A INPUT-i eth1 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT

but its block traffic. Can you please help me what allow rule will works for Squid 3.5 when i secure my WAN.

On Fri, Apr 14, 2017 at 4:28 PM, Amos Jeffries <[hidden email]> wrote:
On 13/04/2017 11:46 p.m., Arsalan Hussain wrote:
> Dear All,
>
> I am facing problem with iptable rules for squid 3.5.23. my simple squid
> configuration is attached and also iptable rules.
>
> It works fine when i restart squid, iptables, network services but after a
> while it give problem of slow speed or even rejecting packets in squid
> access.log

Your squid.conf first line says that Browsers are configured to use the
proxy. That means iptables doing NAT is not relevant.

You also have a mix of a many very different and half-setup proxying
configurations in your configs.


First get that sorted out. Telling us what do you actually want the
traffic to be doing might be a good start.

What is going wrong is clear, but "I am facing a problem" does not tell
what we should advise to fix that and in this case your config is so
mixed its not easy to even make a good guess.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



--
With Regards,


Arsalan Hussain
Assistant Director, Networks & Information System

PRESTON UNIVERSITY
Add: Plot: 85, Street No: 3, Sector H-8/1, Islamabad, Pakistan
Cell: +92-322-5018611
UAN: (51) 111-707-808 (Ext: 443)

If you are too lazy to plow now, don't expect a harvest, later

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Proxy with simple iptable rule ...

Antony Stone
On Monday 17 April 2017 at 14:45:55, Arsalan Hussain wrote:

> Dear Sir Amos

        :)

> I had reconfigured Squid 3.5 and it works fine. but i want to protect WAN
> interface through IPTABLES
>
> 1- can you help me chain rule of simple iptable which drop all trafic from
> WAN eth0 to secure and allow squid user request from LAN eth1 only.   (my
> WAN send flood by public and it waste my all bandwidth)
>
> For Example:
> -A INPUT -j LOG

Do you really want to log every packet hitting your machine?

What use is that information?

> -A INPUT -j DROP

That will prevent ALL packets from entering the machine - nothing can work.

You need to allow ESTABLISHED and RELATED packets before DROPping anything.

> Then allow
> -A INPUT-i eth1 -j ACCEPT

There's no point putting a rule like this after "INPUT -j DROP".  Everything
has been DROPped already, whether it came from eth1 or not...

Remember that IPtables rules work on a "first match wins" basis.

> -A FORWARD -i eth1 -j ACCEPT

Er, wait, is this a forwarding router, or a Squid server accepting requests on
eth1 and sending them out on eth0?

> but its block traffic. Can you please help me what allow rule will works
> for Squid 3.5 when i secure my WAN.

Please give us more details of your network - I understand that the machien
running Squid has two interfaces, but is it only ascting as a proxy, or is it
also a forwarding router for other traffic?

Also, have you read any documantation on IPtables, to get some examples of
standard configurations?


And finally, you numbered the question above with a "1".  Is there a "2"?


Antony.

--
Most people have more than the average number of legs.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Proxy with simple iptable rule ...

Arsalan Hussain

Dear Antony Stone,

In fact I recently converted Squid 3.1 and less idea of iptable rules used there, it was also working as router for internet so i confused with normal proxy.
 
> -A INPUT -j LOG

Do you really want to log every packet hitting your machine?

What use is that information?

@---  You are right, i don't need it

> -A INPUT -j DROP

That will prevent ALL packets from entering the machine - nothing can work.

You need to allow ESTABLISHED and RELATED packets before DROPping anything.

@-  correct, i will add established related rule here

-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

> Then allow
> -A INPUT-i eth1 -j ACCEPT

There's no point putting a rule like this after "INPUT -j DROP".  Everything
has been DROPped already, whether it came from eth1 or not...

Remember that IPtables rules work on a "first match wins" basis.

@-  my mistake, it was before drop rule to access SSH, from LAN

> -A FORWARD -i eth1 -j ACCEPT

Er, wait, is this a forwarding router, or a Squid server accepting requests on
eth1 and sending them out on eth0?

@-  i dont need, will remove it

> but its block traffic. Can you please help me what allow rule will works
> for Squid 3.5 when i secure my WAN.

Please give us more details of your network - I understand that the machien
running Squid has two interfaces, but is it only ascting as a proxy, or is it
also a forwarding router for other traffic?

@- it is only working as squid, LAN side is consists of two vlans and we will configure 100 users to use internet. we will limit 2 MB per user @ maximum bandwidth while 1 MB for only FB/Youtube users.

Squid 3.5 is working fine, but i want to secure  WAN eth0  for any unauthentic user access .

I only need to configure simple iptables rules to secure it.

On Mon, Apr 17, 2017 at 5:53 PM, Antony Stone <[hidden email]> wrote:
On Monday 17 April 2017 at 14:45:55, Arsalan Hussain wrote:

> Dear Sir Amos

        :)

> I had reconfigured Squid 3.5 and it works fine. but i want to protect WAN
> interface through IPTABLES
>
> 1- can you help me chain rule of simple iptable which drop all trafic from
> WAN eth0 to secure and allow squid user request from LAN eth1 only.   (my
> WAN send flood by public and it waste my all bandwidth)
>
> For Example:
> -A INPUT -j LOG

Do you really want to log every packet hitting your machine?

What use is that information?

> -A INPUT -j DROP

That will prevent ALL packets from entering the machine - nothing can work.

You need to allow ESTABLISHED and RELATED packets before DROPping anything.

> Then allow
> -A INPUT-i eth1 -j ACCEPT

There's no point putting a rule like this after "INPUT -j DROP".  Everything
has been DROPped already, whether it came from eth1 or not...

Remember that IPtables rules work on a "first match wins" basis.

> -A FORWARD -i eth1 -j ACCEPT

Er, wait, is this a forwarding router, or a Squid server accepting requests on
eth1 and sending them out on eth0?

> but its block traffic. Can you please help me what allow rule will works
> for Squid 3.5 when i secure my WAN.

Please give us more details of your network - I understand that the machien
running Squid has two interfaces, but is it only ascting as a proxy, or is it
also a forwarding router for other traffic?

Also, have you read any documantation on IPtables, to get some examples of
standard configurations?


And finally, you numbered the question above with a "1".  Is there a "2"?


Antony.

--
Most people have more than the average number of legs.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



--
With Regards,


Arsalan Hussain
Assistant Director, Networks & Information System

PRESTON UNIVERSITY
Add: Plot: 85, Street No: 3, Sector H-8/1, Islamabad, Pakistan
Cell: +92-322-5018611
UAN: (51) 111-707-808 (Ext: 443)

If you are too lazy to plow now, don't expect a harvest, later

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...