| View previous topic :: View next topic |
| Author |
Message |
storri
n00b
Joined: 02 Jun 2003
Posts: 40
|
 Posted: Fri Jan 05, 2007 7:17 pm Post subject: Squid will not allow local network machines to access it |
 |
|
On a local machine I have decided to install squid + dansguardian for a transparent proxy but so far I have gotten nothing but access denied from the squid server. Here are the versions of the tools I am using on a 2.6 kernel:
| Quote: |
squid-2.6.5
iptables-1.3.5-r4
dansguardian-2.8.0.6-r1
|
While I have gone through the forums to try to find a solution I have found nothing to explain why I cannot touch the squid proxy. I turned off dansguardian and redid the firewall rules to try and test against the proxy directly. Again I found myself receiving the access denied message. So as I suspect I have done something silly or failed to do a required task. Here is a diff of my configuration for squid against the squid.conf.default:
| Quote: |
--- squid.conf.default 2007-01-05 08:35:39.000000000 -0600
+++ squid.conf 2007-01-05 13:07:38.000000000 -0600
@@ -71,5 +71,5 @@
#
# Squid normally listens to port 3128
-http_port 3128
+http_port 3128 transparent
# TAG: https_port
@@ -2510,5 +2510,5 @@
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
-#http_access deny to_localhost
+http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
@@ -2517,6 +2517,6 @@
# to list your (internal) IP networks from where browsing should
# be allowed
-#acl our_networks src 192.168.1.0/24 192.168.2.0/24
-#http_access allow our_networks
+acl our_networks src 192.168.1.0/24
+http_access allow our_networks
# Allow the localhost to have access by default
|
So I have not changed much to the configuration other than what was the recommended minimum setup. In order to help here is a post of a part of the access.log showing one request:
The only other silly thing is that my firewall rules trying to force all HTTP traffic to the proxy is some how a mess. I have been using fwbuilder to create the firewall rules. So here is the Fwbuilder output for the firewall. Its significantly easier to read than the XML.
| Quote: |
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v2.0.12-1
#
# Generated Fri Jan 5 11:46:32 2007 CST by storri
#
# files: * Base.fw
#
#
# This is an example of a firewall protecting a host ( a server or a workstation). Only SSH access to the host is permitted. Host has dynamic address.
#
#
#
set -x
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
#
# Prolog script
#
#
# End of prolog script
#
log() {
echo "$1"
test -x "$LOGGER" && $LOGGER -p info "$1"
}
va_num=1
add_addr() {
addr=$1
nm=$2
dev=$3
type=""
aadd=""
L=`$IP -4 link ls $dev | head -n1`
if test -n "$L"; then
OIFS=$IFS
IFS=" /:,<"
set $L
type=$4
IFS=$OIFS
L=`$IP -4 addr ls $dev to $addr | grep inet | grep -v :`
if test -n "$L"; then
OIFS=$IFS
IFS=" /"
set $L
aadd=$2
IFS=$OIFS
fi
fi
if test -z "$aadd"; then
if test "$type" = "POINTOPOINT"; then
$IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
if test "$type" = "BROADCAST"; then
$IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
fi
}
getInterfaceVarName() {
echo $1 | sed 's/\./_/'
}
getaddr() {
dev=$1
name=$2
L=`$IP -4 addr show dev $dev | grep inet | grep -v :`
test -z "$L" && {
eval "$name=''"
return
}
OIFS=$IFS
IFS=" /"
set $L
eval "$name=$2"
IFS=$OIFS
}
getinterfaces() {
NAME=$1
$IP link show | grep ": $NAME" | while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
LSMOD="lsmod"
MODPROBE="modprobe"
IPTABLES="iptables"
IPTABLES_RESTORE="iptables-restore"
IP="ip"
LOGGER="logger"
if $IP link ls >/dev/null 2>&1; then
echo;
else
echo "iproute not found"
exit 1
fi
INTERFACES="eth0 lo "
for i in $INTERFACES ; do
$IP link show "$i" > /dev/null 2>&1 || {
log "Interface $i does not exist"
exit 1
}
done
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
$IP -4 neigh flush dev eth0 >/dev/null 2>&1
$IP -4 addr flush dev eth0 secondary label "eth0:FWB*" >/dev/null 2>&1
add_addr 192.168.1.2 32 eth0
$IP link set eth0 up
add_addr 127.0.0.1 8 lo
$IP link set lo up
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack* *_nat_* | sed -n -e 's/\.ko$//p' -e 's/\.o$//p' -e 's/\.ko\.gz$//p' -e 's/\.o\.gz$//p')`
for module in $MODULES; do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done
log 'Activating firewall script generated Fri Jan 5 11:46:32 2007 by storri'
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
ip6tables -L -n > /dev/null 2>&1 && {
ip6tables -P OUTPUT DROP
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
}
cat /proc/net/ip_tables_names | while read table; do
test "X$table" = "Xmangle" && continue
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0 (NAT)
#
echo "Rule 0 (NAT)"
#
#
$IPTABLES -t nat -A POSTROUTING -p tcp -m tcp -s 192.168.1.2 --dport 3128 -j ACCEPT
$IPTABLES -t nat -A OUTPUT -p tcp -m tcp -s 192.168.1.2 --dport 3128 -j ACCEPT
#
# Rule 1 (NAT)
#
echo "Rule 1 (NAT)"
#
#
$IPTABLES -t nat -A OUTPUT -p tcp -m tcp -s 192.168.1.2 --dport 80 -j DNAT --to-destination 127.0.0.1:3128
$IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -s 192.168.1.2 -d 127.0.0.1 --dport 3128 -j SNAT --to-source 192.168.1.2
#
# Rule 0 (eth0)
#
echo "Rule 0 (eth0)"
#
#
#
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp -s 192.168.1.0/8 -d 192.168.1.2 --dport 22 -m state --state NEW -j ACCEPT
#
# Rule 1 (eth0)
#
echo "Rule 1 (eth0)"
#
#
#
$IPTABLES -N Cid459E36FA.0
$IPTABLES -A OUTPUT -o eth0 -s 192.168.1.2 -m state --state NEW -j Cid459E36FA.0
$IPTABLES -N eth0_Out_RULE_1
$IPTABLES -A Cid459E36FA.0 -p tcp -m tcp --dport 53 -j eth0_Out_RULE_1
$IPTABLES -A Cid459E36FA.0 -p udp -m udp --dport 53 -j eth0_Out_RULE_1
$IPTABLES -A eth0_Out_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -A eth0_Out_RULE_1 -j ACCEPT
#
# Rule 2 (eth0)
#
echo "Rule 2 (eth0)"
#
#
#
$IPTABLES -N Cid459E398D.0
$IPTABLES -A OUTPUT -o eth0 -s 192.168.1.2 -m state --state NEW -j Cid459E398D.0
$IPTABLES -N eth0_Out_RULE_2
$IPTABLES -A Cid459E398D.0 -p tcp -m tcp -m multiport --dports 80,3128 -j eth0_Out_RULE_2
$IPTABLES -A eth0_Out_RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- ACCEPT "
$IPTABLES -A eth0_Out_RULE_2 -j ACCEPT
#
# Rule 3 (eth0)
#
echo "Rule 3 (eth0)"
#
#
#
$IPTABLES -N eth0_Out_RULE_3
$IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp -s 192.168.1.2 --dport 25 -m state --state NEW -j eth0_Out_RULE_3
$IPTABLES -A eth0_Out_RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- ACCEPT "
$IPTABLES -A eth0_Out_RULE_3 -j ACCEPT
#
# Rule 4 (eth0)
#
echo "Rule 4 (eth0)"
#
#
#
$IPTABLES -N Cid459E4F2D.0
$IPTABLES -A INPUT -i eth0 -s 192.168.1.2 -m state --state NEW -j Cid459E4F2D.0
$IPTABLES -N eth0_In_RULE_4
$IPTABLES -A Cid459E4F2D.0 -p tcp -m tcp -m multiport --dports 110,995,143,993 -j eth0_In_RULE_4
$IPTABLES -N Cid459E4F2D.1
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.2 -m state --state NEW -j Cid459E4F2D.1
$IPTABLES -A Cid459E4F2D.1 -p tcp -m tcp -m multiport --dports 110,995,143,993 -j eth0_In_RULE_4
$IPTABLES -A eth0_In_RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- ACCEPT "
$IPTABLES -A eth0_In_RULE_4 -j ACCEPT
$IPTABLES -N Cid459E4F2D.2
$IPTABLES -A OUTPUT -o eth0 -s 192.168.1.2 -m state --state NEW -j Cid459E4F2D.2
$IPTABLES -N eth0_Out_RULE_4
$IPTABLES -A Cid459E4F2D.2 -p tcp -m tcp -m multiport --dports 110,995,143,993 -j eth0_Out_RULE_4
$IPTABLES -A eth0_Out_RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- ACCEPT "
$IPTABLES -A eth0_Out_RULE_4 -j ACCEPT
#
# Rule 5 (eth0)
#
echo "Rule 5 (eth0)"
#
#
#
$IPTABLES -N eth0_Out_RULE_5
$IPTABLES -A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.2 --dport 123 -m state --state NEW -j eth0_Out_RULE_5
$IPTABLES -A eth0_Out_RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- ACCEPT "
$IPTABLES -A eth0_Out_RULE_5 -j ACCEPT
#
# Rule 0 (lo)
#
echo "Rule 0 (lo)"
#
#
#
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
#
# Rule 0 (global)
#
echo "Rule 0 (global)"
#
#
#
$IPTABLES -N RULE_0
$IPTABLES -A OUTPUT -j RULE_0
$IPTABLES -A INPUT -j RULE_0
$IPTABLES -A FORWARD -j RULE_0
$IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
$IPTABLES -A RULE_0 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Epilog script
#
# End of epilog script
#
|
Any suggestions, wise advise or otherwise enlighting suggestions would be greatly appreciated. I am sure I did something silly.
Stephen |
|
| Back to top |
|
 |
plut0
Apprentice
Joined: 21 Dec 2004
Posts: 272
|
| Posted: Sat Jan 06, 2007 4:45 pm Post subject: |
|
|
Did you allow your network to access squid?
| Code: | acl our_networks src 192.168.0.0/24
http_access allow our_networks |
I would work on only one at a time. Start with squid and get it working, then dansguardian, then iptables. Don't try and do all three at once. |
|
| Back to top |
|
|
storri
n00b
Joined: 02 Jun 2003
Posts: 40
|
| Posted: Sat Jan 06, 2007 5:29 pm Post subject: HTTP via squid works |
|
|
| HTTP via squid works. Is it necessary to setup HTTPS via squid as well to filter those URLs? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
