I have this in my squid server for it to work:
*mangle
:PREROUTING ACCEPT [190:618576]
:INPUT ACCEPT [190:618576]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [163:41506]
:POSTROUTING ACCEPT [166:42334]
-A PREROUTING -d $myip/32 -p tcp -m multiport --dports 3129 -m comment
--comment "002 drop squid direct traffic http - we only allow captured
traffic" -j DROP
-A PREROUTING -d $myip/32 -p tcp -m multiport --dports 3130 -m comment
--comment "002 drop squid direct traffic https - we only allow captured
traffic" -j DROP
COMMIT
# Completed on Wed Apr 1 10:28:22 2015
# Generated by iptables-save v1.4.21 on Wed Apr 1 10:28:22 2015
*nat
:PREROUTING ACCEPT [1:36]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [30:2079]
:POSTROUTING ACCEPT [30:2079]
-A PREROUTING -s $myip/32 -p tcp -m multiport --dports 80 -m comment
--comment "000 allow squid http - so its traffic does not get captured"
-j ACCEPT
-A PREROUTING -s $myip/32 -p tcp -m multiport --dports 443 -m comment
--comment "000 allow squid https - so its traffic does not get captured"
-j ACCEPT
-A PREROUTING -p tcp -m multiport --dports 80 -m comment --comment "001
capture http to squid" -j DNAT --to-destination $myip:3129
-A PREROUTING -p tcp -m multiport --dports 443 -m comment --comment "001
capture https to squid" -j DNAT --to-destination $myip:3130
COMMIT
# Completed on Wed Apr 1 10:28:22 2015
# Generated by iptables-save v1.4.21 on Wed Apr 1 10:28:22 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:184]
-A INPUT -p tcp -m multiport --ports 3129 -m comment --comment "000
allow squid http intercept" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 3130 -m comment --comment "000
allow squid https intercept" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 3128 -m comment --comment "000
allow squid proxy" -j ACCEPT
and squid conf (mind you - squid 3.4)
ssl_bump server-first all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_children 8 startup=1 idle=1
sslcrtd_program /usr/lib64/squid/ssl_crtd -s
/etc/ssl/certs/cache/ -M 4MB
https_port 3130 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
key=/etc/squid/ca.private cert=/etc/squid/ca.cert
shutdown_lifetime 3
always_direct allow all
sslproxy_cert_error allow all
http_port 3129 intercept
Reet Vyas wrote on 06/02/2015 02:31 PM:
I am trying to configure transparent squid proxy on ubuntu 14.04 Server
and squid 3.3 version I am using
My Lan and Wan settings
eth0 Link encap:Ethernet HWaddr 00:1e:67:cf:59:74
inet addr:116.72.*.* Bcast:116.72.155.255 Mask:255.255.252.0
inet6 addr: fe80::21e:67ff:fecf:5974/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:238950 errors:0 dropped:0 overruns:0 frame:0
TX packets:236104 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22219047 (22.2 MB) TX bytes:17390502 (17.3 MB)
Interrupt:16 Memory:d0a00000-d0a20000
eth1 Link encap:Ethernet HWaddr 00:1e:67:cf:59:75
inet addr:192.168.0.200 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::21e:67ff:fecf:5975/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:96965 errors:0 dropped:0 overruns:0 frame:0
TX packets:11785 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10764615 (10.7 MB) TX bytes:7151763 (7.1 MB)
Interrupt:17 Memory:d0900000-d0920000
my squid.conf file
acl mynet src 116.72.152.37 192.168.0.0/16 <http://192.168.0.0/16> #
RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow mynet
http_access allow localhost
http_access allow all
http_port 3128
cache_dir ufs /usr/local/cache 10000 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200
refresh_pattern . 0 20% 4320
but when I use 192.168.0.200 in my client machine as gateway ...
internet is not working and I cant see logs in access.log
But when I use this IP in my browser it is working and showing logs but
with my tplink router gateway i.e 192.168.0.1.
IPTable rules :
num target prot opt source destination
1 DNAT tcp -- anywhere anywhere tcp
dpt:http to:192.168.0.200:3128 <http://192.168.0.200:3128>
2 REDIRECT tcp -- anywhere anywhere tcp
dpt:http redir ports 3128
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Please tell me what I am missing in IPtables and squid3 configuration .
I tried both transparent as well as intercept option but I think I have
issue with iptables or may be configuration issue.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
--
Regards,
Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
