Squid as gateway

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid as gateway

erdosain9
Hi.
It's possible to put the squid server as gateway??? and config to ear in port 80 instead of 3128? This will work?
Thanks to all.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

Amos Jeffries
Administrator
On 08/07/17 04:14, erdosain9 wrote:
> Hi.
> It's possible to put the squid server as gateway??? and config to ear in
> port 80 instead of 3128? This will work?


Yes. See <http://wiki.squid-cache.org/SquidFaq/ReverseProxy>.

Like that page name most of the documentation can be found by looking
for the term "reverse proxy" rather than gateway.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

erdosain9
Hi, and thanks.
Maybe i dont explain well.
I just want this:

 WanRouter-------Squid---------switch------PC

I want to declare in "PC" IP, MASK, AND GATEWAY, instead of the WanRouter, i want that PC have for gateway the ip of the Squid.

I do this by now.

sudo iptables -A PREROUTING -t nat -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128

[root@squid ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3128
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        


 iptables -t nat --line-numbers -L
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination        
1    REDIRECT   tcp  --  192.168.1.0/24       anywhere             tcp dpt:http redir ports 3128


And in squid.conf
i have
http 192.168.1.35:3128 intercept

But... this is not working... so
Can anyone give me a hand?

Thanks to all.

 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

Yuri Voinov
Feel free to take a look inside wiki:

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy

http://wiki.squid-cache.org/ConfigExamples/Intercept


11.07.2017 19:35, erdosain9 пишет:

> Hi, and thanks.
> Maybe i dont explain well.
> I just want this:
>
>  WanRouter-------Squid---------switch------PC
>
> I want to declare in "PC" IP, MASK, AND GATEWAY, instead of the WanRouter, i
> want that PC have for gateway the ip of the Squid.
>
> I do this by now.
>
> sudo iptables -A PREROUTING -t nat -s 192.168.1.0/24 -p tcp --dport 80 -j
> REDIRECT --to-port 3128
>
> [root@squid ~]# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination        
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3128
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state
> RELATED,ESTABLISHED
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp
> dpt:22
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with
> icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination        
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with
> icmp-host-prohibited
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination        
>
>
>  iptables -t nat --line-numbers -L
> Chain PREROUTING (policy ACCEPT)
> num  target     prot opt source               destination        
> 1    REDIRECT   tcp  --  192.168.1.0/24       anywhere             tcp
> dpt:http redir ports 3128
>
>
> And in squid.conf
> i have
> http 192.168.1.35:3128 intercept
>
> But... this is not working... so
> Can anyone give me a hand?
>
> Thanks to all.
>
>  
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683053.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

erdosain9
Thanks
Yes, im looking the wiki and follow this
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

And, it is not working. Nothing it is going to squid.

I can go to internet because

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

but, nothing throug squid.

What can be? Another wiki???
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

Yuri Voinov
Squid should be configured and built with interception support.

Re-read more carefully.

11.07.2017 21:26, erdosain9 пишет:

> Thanks
> Yes, im looking the wiki and follow this
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
>
> And, it is not working. Nothing it is going to squid.
>
> I can go to internet because
>
> # Controls IP packet forwarding
> net.ipv4.ip_forward = 1
>
> but, nothing throug squid.
>
> What can be? Another wiki???
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683056.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

erdosain9
Ok Yuri, im re re re reading....... :-)

And probe another configs, like this
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

and nothing, i dont get where i fail.

Squid, it is config in interception mode.

cache.log

2017/07/11 14:15:43 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 14 flags=9
2017/07/11 14:15:43 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3129 remote=[::] FD 15 flags=41

So......................... yes, yes, i keep reading.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

Rafael Akchurin
May be this will be of any help - https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html


-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of erdosain9
Sent: Tuesday, July 11, 2017 5:41 PM
To: [hidden email]
Subject: Re: [squid-users] Squid as gateway

Ok Yuri, im re re re reading....... :-)

And probe another configs, like this
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

and nothing, i dont get where i fail.

Squid, it is config in interception mode.

cache.log

2017/07/11 14:15:43 kid1| Accepting HTTP Socket connections at
local=[::]:3128 remote=[::] FD 14 flags=9
2017/07/11 14:15:43 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3129 remote=[::] FD 15 flags=41

So......................... yes, yes, i keep reading.



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683058.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

Eliezer Croitoru
In reply to this post by erdosain9
Hey,

The text doesn't contains enough details to understand where squid sitting in the network and how it all should work.
Please describe every IP address in the network and network CIDR's.
What is the IP of the WANRouter and other components.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of erdosain9
Sent: Tuesday, July 11, 2017 16:35
To: [hidden email]
Subject: Re: [squid-users] Squid as gateway

Hi, and thanks.
Maybe i dont explain well.
I just want this:

 WanRouter-------Squid---------switch------PC

I want to declare in "PC" IP, MASK, AND GATEWAY, instead of the WanRouter, i
want that PC have for gateway the ip of the Squid.

I do this by now.

sudo iptables -A PREROUTING -t nat -s 192.168.1.0/24 -p tcp --dport 80 -j
REDIRECT --to-port 3128

[root@squid ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3128
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp
dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with
icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with
icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        


 iptables -t nat --line-numbers -L
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination        
1    REDIRECT   tcp  --  192.168.1.0/24       anywhere             tcp
dpt:http redir ports 3128


And in squid.conf
i have
http 192.168.1.35:3128 intercept

But... this is not working... so
Can anyone give me a hand?

Thanks to all.

 



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683053.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

Amos Jeffries
Administrator
In reply to this post by Rafael Akchurin
On 12/07/17 04:20, Rafael Akchurin wrote:
> May be this will be of any help - https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html
>


erdosain9: the above should be what you need.

If not, then you may still be distracted by thinking that Squid has any
relevance to the "gateway".

What you need to start with is that the machine which will _later_ be
running Squid - be _first_ setup as a gateway router on your network.
That has nothing to do with Squid and the details should be available in
any general networking sysadmin guide.

The key thing is that all your clients traffic routing should be
operational and going through that machine *before* you go anywhere near
even installing Squid on that machine.

Only after that gateway is setup and operational do you install Squid
and add the iptables bits to get the traffic into Squid. The Squid wiki
examples are intended for use by someone already somewhat familiar with
network configuration and wanting to do that extra step with the proxy.

The Diladele page(s) go through much more of the full process of setting
up the gateway machine, but remember that most of what you are wanting
is not about Squid at all - so don't skip parts thinking they are
irrelevant to your proxy.

HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

erdosain9
In reply to this post by Eliezer Croitoru
Hi, and thank you all.

Well this is the diagram.



INTERNET
+
+
FIREWALL (10.1.158.1/24)
+
+
+
SQUID (2 interfaces) 10.1.158.2/24
                                192.168.1.20/24
+
+
+
ROUTERWIFI( WAN----static ip 192.168.1.40/24 gw 192.168.1.20) LAN 192.168.0.1/24)

squid config:

acl red1 src 192.168.1.0/24

acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 20000
acl SSL_ports port 10000
acl SSL_ports port 2083

acl Safe_ports port 631         # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 8443        # httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8080        # edesur y otros
acl CONNECT method CONNECT


#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

http_access allow localhost
http_access allow red1

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 192.168.1.20:3128
http_port 192.168.1.20:3129 intercept

# Uncomment and adjust the following to add a disk cache directory.
cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 256 MB

cache_swap_low 90
cache_swap_high 95

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid


#Your refresh_pattern
refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store ignore-private

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

dns_nameservers 8.8.8.8 8.8.4.4
visible_hostname squid.xxxxxxxxxx.lan

-----------------------------------------------------------------------

I probe this, nothing work..............
---------------------------------------------------------------------------------------------------------------------------------------------

iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.20:3129
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP

------------------------------------------------------------------------------------------------------------------------------------------------

iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP

-----------------------------------------------------------------------------------------------------------------------------------------------

A hand....??
Thanks
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

joseph
>> ROUTERWIFI( WAN----static ip 192.168.1.40/24 gw 192.168.1.20) LAN 192.168.0.1/24)
is it mikrotik or other specify pls
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

Eliezer Croitoru
In reply to this post by erdosain9
Hey,

What you describe is possible... and is recommended for many scenarios.
You just need to take into account that what you would want is to make sure your have a static route from the squid machine to the WIFI network via the WIFI Router.
Also you should use NAT(source nat \ masquerade) on the squid box if you want other traffic then port 80 to be allowed to access the internet(DNS, ICMP etc..).
This combination of:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect?highlight=%28masquerade%29

http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat?highlight=%28sysctl%29#A.2Fetc.2Fsysctl.conf_Configuration

http://wiki.squid-cache.org/KnowledgeBase/TransparentProxySelectiveBypass?highlight=%28masquerade%29

might help you to get started.

What machine are you using the linux box for squid?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of erdosain9
Sent: Thursday, July 20, 2017 22:08
To: [hidden email]
Subject: Re: [squid-users] Squid as gateway

Hi, and thank you all.

Well this is the diagram.



INTERNET
+
+
FIREWALL (10.1.158.1/24)
+
+
+
SQUID (2 interfaces) 10.1.158.2/24
                                192.168.1.20/24
+
+
+
ROUTERWIFI( WAN----static ip 192.168.1.40/24 gw 192.168.1.20) LAN
192.168.0.1/24)

squid config:

acl red1 src 192.168.1.0/24

acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 20000
acl SSL_ports port 10000
acl SSL_ports port 2083

acl Safe_ports port 631         # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 8443        # httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8080        # edesur y otros
acl CONNECT method CONNECT


#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager

http_access allow localhost
http_access allow red1

# And finally deny all other access to this proxy http_access deny all

# Squid normally listens to port 3128
http_port 192.168.1.20:3128
http_port 192.168.1.20:3129 intercept

# Uncomment and adjust the following to add a disk cache directory.
cache_dir diskd /var/spool/squid 15000 16 256 cache_mem 256 MB

cache_swap_low 90
cache_swap_high 95

# Leave coredumps in the first cache dir coredump_dir /var/spool/squid


#Your refresh_pattern
refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store ignore-private

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

dns_nameservers 8.8.8.8 8.8.4.4
visible_hostname squid.xxxxxxxxxx.lan

-----------------------------------------------------------------------

I probe this, nothing work..............
---------------------------------------------------------------------------------------------------------------------------------------------

iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
192.168.1.20:3129
iptables -t nat -A POSTROUTING -j MASQUERADE iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP

------------------------------------------------------------------------------------------------------------------------------------------------

iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129 iptables -t nat -A POSTROUTING -j MASQUERADE iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP

-----------------------------------------------------------------------------------------------------------------------------------------------

A hand....??
Thanks



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683192.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

Amos Jeffries
Administrator
In reply to this post by erdosain9
On 21/07/17 07:07, erdosain9 wrote:

> Hi, and thank you all.
>
> Well this is the diagram.
>
>
>
> INTERNET
> +
> +
> FIREWALL (10.1.158.1/24)
> +
> +
> +
> SQUID (2 interfaces) 10.1.158.2/24
>                                  192.168.1.20/24

This machine called SQUID need to be configured as a router.

You mentioned the GW route for the device below, but what are the two GW
routes (10/8 gw ??? , and 192.168/16 gw ???) this SQUID machine should have?


> +
> +
> ROUTERWIFI( WAN----static ip 192.168.1.40/24 gw 192.168.1.20) LAN
> 192.168.0.1/24)

That looks okay.

But double-check that this machine is *NOT* performing NAT on any of the
outgoing packets sent to 192.168.1.20.


>
> squid config:
>
> acl red1 src 192.168.1.0/24

That permits the ROUTERWIFI machine to send traffic from itself (only)
to Squid. Such traffic should be an extreme rarity - usually just you
testing HTTP connectivity from that machine manually.

This Squid should be expecting to receive traffic from 192.168.0.0/24
machines. If you do not change this I expect you will start to see
DENIED lines being logged by Squid when you fix the packet arrival problem.


>
> acl SSL_ports port 443
> acl SSL_ports port 8443
> acl SSL_ports port 8080
> acl SSL_ports port 20000
> acl SSL_ports port 10000
> acl SSL_ports port 2083
>
> acl Safe_ports port 631         # httpCUPS
> acl Safe_ports port 85
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 8443        # httpsalt
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 8080        # edesur y otros

NP: those 8080 and 8443 are included in the 1025-65535 entry above.

> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> http_access allow localhost
> http_access allow red1
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 192.168.1.20:3128
> http_port 192.168.1.20:3129 intercept

You should not have to specify any IP address here.
eg.
   http_port 3128
   http_port 3129 intercept

Squid will then be able to receive the NAT'd traffic no matter what
system NAT rules contain.


>
...
> #Your refresh_pattern
> refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
> ignore-private

NP: ignore-no-cache is no longer existing.

SECURITY WARNING: using ignore-no-store for images will cache Captcha
images, user avatar icons, personal content from private accounts (think
snapchat and facebook photos type of stuff).
  ignore-private is not so bad in the latest Squid releases as it used
to be, but it will not cause much of a HIT ratio increase over default
behaviour either.


>
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
> dns_nameservers 8.8.8.8 8.8.4.4

Use of 8.8.8.8 and 8.8.4.4 in a Squid which is intercepting traffic
causes a lot of problems - mostly in the form of "Host verify" security
alerts and major reduction in HTTP traffic caching.

To work around those problems you need a local DNS server which both
your client machines and Squid use for recursive resolving. That DNS
server can use 8.8.8.8 and 8.8.4.4 as its upstream forwarders if you
actually still need it - having your own local resolver pretty much
obsoletes all the benefits 8.8.8.8 claim to provide.


>
> -----------------------------------------------------------------------
>
> I probe this, nothing work..............
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
> iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
> 192.168.1.20:3129
> iptables -t nat -A POSTROUTING -j MASQUERADE
> iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP
>
> ------------------------------------------------------------------------------------------------------------------------------------------------
>
> iptables -t nat -A PREROUTING -s 192.168.1.20 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
> iptables -t nat -A POSTROUTING -j MASQUERADE
> iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP
>
> -----------------------------------------------------------------------------------------------------------------------------------------------
>

Both of those look fine for the NAT rules on SQUID box - they only do
the NAT part, not any of the packet routing.

The problem I think is in the routing setup on the SQUID machine, and
maybe the ROUTERWIFI.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

erdosain9
This post was updated on .
Hi, and thanks

The ROUTERWIFI is a TpLink TL-WR940N.... i dont see in this router any Nat option :-(

This is the router table of the SquidBox

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.1.158.1      0.0.0.0         UG    0      0        0 ens192
10.1.158.0      0.0.0.0         255.255.255.0   U     0      0        0 ens192
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 ens160
169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0 ens192
192.168.0.0     192.168.1.40    255.255.255.0   UG    0      0        0 ens160
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 ens160
192.168.2.0     192.168.1.1     255.255.255.0   UG    0      0        0 ens160
192.168.6.0     192.168.1.1     255.255.255.0   UG    0      0        0 ens160

This is the router table of TpLink WR940N
ID Destination Network Subnet Mask Gateway Interface
1 192.168.1.0 255.255.255.0 0.0.0.0 WAN
2 192.168.0.0 255.255.255.0 0.0.0.0 LAN & WLAN
3 0.0.0.0 0.0.0.0 192.168.1.20 WAN

If i enable ipv4 forwarding in SquidBox, the clients of the ROUTERWIFI can access internet, so i think the router table it's ok.... the clients can go to internet but just because ipv4 forwarding is enable (the squid service is not getting anything, i dont see nothing in the access.log...) if i disable ipv4 forwarding the clients dont go anyway.

This is iptables

[root@squid ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 383 packets, 42336 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     tcp  --  *      *       192.168.1.20       0.0.0.0/0            tcp dpt:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.1.20:3129

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

Amos Jeffries
Administrator
On 22/07/17 02:18, erdosain9 wrote:

> Hi, and thanks
>
> The ROUTERWIFI is a TpLink TL-WR940N.... i dont see in this router any Nat
> option :-(
>
> This is the router table of the SquidBox
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 0.0.0.0         10.1.158.1      0.0.0.0         UG    0      0        0
> ens192
> 10.1.158.0      0.0.0.0         255.255.255.0   U     0      0        0
> ens192
> 169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0
> ens160
> 169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0
> ens192
> 192.168.0.0     192.168.1.40    255.255.255.0   UG    0      0        0
> ens160
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
> ens160
> 192.168.2.0     192.168.1.1     255.255.255.0   UG    0      0        0
> ens160
> 192.168.6.0     192.168.1.1     255.255.255.0   UG    0      0        0
> ens160

That seems okay. Assuming that 192.168.1.1 is reachable through
192.168.1.40 - but they should be irrelevant for the 192.168.0.0/24
clients even if broken.

>
> If i enable ipv4 forwarding in SquidBox, the clients of the ROUTERWIFI can
> access internet, so i think the router table it's ok.... the clients can go
> to internet but just because ipv4 forwarding is enable (the squid service is
> not getting anything, i dont see nothing in the access.log...) if i disable
> ipv4 forwarding the clients dont go anyway.

What setting exactly are you changing for this "ipv4 forwarding"
enable/disable?

Clients should be fully able to access and use the Internet / WAN
connectivity _through_ the machine called SQUID in your network when the
NAT rules from the Squid wiki config example are omitted.

One thing we have not mentioned AFAIK, is that the FIREWALL machine
needs to have 192.168.0.0/16 gw 192.168.1.20 as its LAN gateway setting
to pass the Internet response traffic back through SQUID machine.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

Eliezer Croitoru
In reply to this post by erdosain9
Hey,

Let's split the scenario into two different issues.
- interception
- routing

Since the squidbox is a router you need to first enable it to be a router and also to do NAT for DNS and other services to work.
Means that the MASQUARADE rule is fine but you should limit it only to the specific outgoing interface of the WAN side ie: ens192

And you should define the right iptables rules of the intercept ie:
This is wrong:
pkts bytes target     prot opt in     out     source              
destination        
    0     0 ACCEPT     tcp  --  *      *       192.168.1.20       0.0.0.0/0          
tcp dpt:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0          
0.0.0.0/0            tcp dpt:80 to:192.168.1.20:3129


Please post using a send the complete "iptables-save"
So I would be able to see what I'm suspecting.
Technically what you shoul have in the nat table is the next rule:
iptables -t nat -A PREROUTING -I ens192 -p tcp --dport 80 -j REDIRECT --to-port 3129

Then you can try to see using " watch -d iptables -t nat -L -nv" if the rules are being "hit" by the counter.
If the rule doesn't catch the traffic it should be accounted at the POLICY ACCEPT rule.

Let me know if it helps,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of erdosain9
Sent: Friday, July 21, 2017 17:19
To: [hidden email]
Subject: Re: [squid-users] Squid as gateway

Hi, and thanks

The ROUTERWIFI is a TpLink TL-WR940N.... i dont see in this router any Nat
option :-(

This is the router table of the SquidBox

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
0.0.0.0         10.1.158.1      0.0.0.0         UG    0      0        0
ens192
10.1.158.0      0.0.0.0         255.255.255.0   U     0      0        0
ens192
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0
ens160
169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0
ens192
192.168.0.0     192.168.1.40    255.255.255.0   UG    0      0        0
ens160
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
ens160
192.168.2.0     192.168.1.1     255.255.255.0   UG    0      0        0
ens160
192.168.6.0     192.168.1.1     255.255.255.0   UG    0      0        0
ens160

If i enable ipv4 forwarding in SquidBox, the clients of the ROUTERWIFI can
access internet, so i think the router table it's ok.... the clients can go
to internet but just because ipv4 forwarding is enable (the squid service is
not getting anything, i dont see nothing in the access.log...) if i disable
ipv4 forwarding the clients dont go anyway.

This is iptables

[root@squid ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 383 packets, 42336 bytes)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 ACCEPT     tcp  --  *      *       192.168.1.20       0.0.0.0/0          
tcp dpt:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0          
0.0.0.0/0            tcp dpt:80 to:192.168.1.20:3129

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination        

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination        

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0          
0.0.0.0/0



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-as-gateway-tp4683022p4683200.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid as gateway

Amos Jeffries
Administrator
In reply to this post by erdosain9
On 22/07/17 02:18, erdosain9 wrote:
> Hi, and thanks
>
> The ROUTERWIFI is a TpLink TL-WR940N.... i dont see in this router any Nat
> option :-(
>

Ah. Home router. These devices usually have things vastly simplified so
they don't get screwed up by non-technical users. If you have been using
what the GUI there calls "IP Forwarding" with a tickbox - that is NAT :-(.

I highly recommend having two physical NIC on the SQUID machine when
home routers/modems are involved; one plugged into that router and the
other plugged into the FIREWALL machine. So there is no possible way any
packets can end up going straight between ROUTERWIFI and FIREWALL
machines. That avoids a huge amount of trouble fiddling with the home
routers UI getting DMZ setups working.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...