Re: [squid-users] Squid Transparent Proxy not work

From: Amos Jeffries <[email protected]>
Date: Sat, 26 Jan 2008 16:30:49 +1300

duren duren wrote:
> i have server running squid (transparent proxy) in
> Ubuntu linux server (squid installed using apt-get)
> this server have two interfaces, eth0 to internet &
> eth1 to LAN
>
> this is my squid.conf
>
> ## --- squid.conf -----
> http_port 192.168.10.1:3128 transparent
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> cache_vary on
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> cache_mem 8 MB
> cache_swap_low 98
> cache_swap_high 99
> maximum_object_size 51200 KB
> minimum_object_size 0 KB
> ipcache_size 2048
> ipcache_low 98
> ipcache_high 99
> fqdncache_size 2048
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap GDSF
> cache_dir ufs /var/spool/squid 5000 18 256
> access_log /var/log/squid/access.log squid
> cache_log /dev/null
> cache_store_log /dev/null
> emulate_httpd_log off
> log_ip_on_direct on
> mime_table /usr/share/squid/mime.conf
> log_mime_hdrs off
> pid_filename /var/run/squid.pid
> log_fqdn off
> ftp_user admin@server
> ftp_list_width 32
> ftp_passive on
> ftp_sanitycheck on
> hosts_file /etc/hosts
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 # https
> acl SSL_ports port 563 # snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> ## Client IP Address
> acl client01 src 192.168.10.11/32
> acl client02 src 192.168.10.12/32
>
> ## Client MAC Address
> acl client01-mac arp 00:16:17:BB:2B:AF
> acl client02-mac arp 00:1A:4D:44:F5:2E
>
> # user01
> http_access allow client01 client01-mac
> http_access deny client01 !client01-mac
> # user02
> http_access allow client02 client02-mac
> http_access deny client02 !client02-mac
>
> http_access allow localhost
> http_access deny all
> icp_access allow all
> cache_mgr admin@server
> cache_effective_user proxy
> cache_effective_group proxy
> visible_hostname Proxy.server
> always_direct allow all
> coredump_dir /var/spool/squid
> extension_methods REPORT MERGE MKACTIVITY CHECKOUT
> store_dir_select_algorithm round-robin
> ## ---- end of squid.conf ----
>
>
> and this is my iptables for squid transparent
>
> #### USER 1
> $IPT -A PREROUTING -t nat -i $LAN -s $USER1 -m mac
> --mac-source $MAC_USER1 -j ACCEPT
> $IPT -t nat -A PREROUTING -i $LAN -s $USER1 -p tcp
> --dport 80 -j REDIRECT --to-port 3128
> $IPT -A PREROUTING -t nat -i $LAN -s ! $USER1 -m mac
> --mac-source $MAC_USER1 -j DROP
>

Well, thats broken.
To see what its doing go:
   iptables -t nat -L PREROUTING -v
I expect the REDIRECT counters are all '0'.
Because anything that comes in from user1 gets accepted before the
REDIRECT. I think line 2 and 1 should be reversed.

> #### USER 2
> $IPT -A PREROUTING -t nat -i $LAN -s $USER2 -m mac
> --mac-source $MAC_USER2 -j ACCEPT
> $IPT -t nat -A PREROUTING -i $LAN -s $USER2 -p tcp
> --dport 80 -j REDIRECT --to-port 3128
> $IPT -A PREROUTING -t nat -i $LAN -s ! $USER2 -m mac
> --mac-source $MAC_USER2 -j DROP
>
> $IPT -A FORWARD -i $LAN -s $USER1 -m mac --mac-source
> $MAC_USER1 -j ACCEPT
> $IPT -A FORWARD -i $LAN -s ! $USER1 -m mac
> --mac-source $MAC_USER1 -j DROP
> $IPT -A FORWARD -i $LAN -s $USER2 -m mac --mac-source
> $MAC_USER2 -j ACCEPT
> $IPT -A FORWARD -i $LAN -s ! $USER2 -m mac
> --mac-source $MAC_USER2 -j DROP
>
> $IPT -t nat -A POSTROUTING -o $INTERNET -s $USER1 -j
> MASQUERADE
> $IPT -t nat -A POSTROUTING -o $INTERNET -s $USER2 -j
> MASQUERADE
>
>
>
> when i look into /var/log/squid/access.log, i can
> found client access squid.
> if client setting browser using proxy into
> 192.168.1.10, i can see client in
> /var/log/squid/access.log
>
> what wrong with my squid.conf or iptables rules?
> why transparent proxy not working, & why client must
> setting using proxy in their browser if the want using
> proxy?

see note above on iptables rules.
Second, do you have arp-relay enabled on your network or are the clients
directly connected?
Without arp-relay squid will only see the MAC address of the
router/bridging device that connects to the squid box. Your IP and MAC
rules may be redundant.

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Fri Jan 25 2008 - 20:30:51 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:05 MST