AW: Re: [squid-users] Squid and Intranet

From: - leer - <a_at_exdo.de>
Date: Mon, 12 Oct 2009 18:20:25 +0200

>
> Listing the rules with -nv options as well will show the additional fields
> and packet counters.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
> Current Beta Squid 3.1.0.14
>

Hello,

there are no other rules.
I had deleted all.
For this I used following script:

iptables -F
iptables -X
iptables -t nat -F

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -t nat -A PREROUTING -d 192.168.0.0/24 -i eth1 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j
REDIRECT --to-port 880

iptables-save

On my Windows client I defined as gateway the proxy
server, but when I am sending a request without having
configured the proxy in my browser I can't access the web.

I know the iptables is very unsecure. It was for a test.

Following routing table I use:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
subnet.nic.corp 53.141.218.1 255.255.255.0 UG 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
53.141.218.0 * 255.255.255.0 U 0 0 0 eth0
link-local * 255.255.0.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 53.141.218.1 0.0.0.0 UG 0 0 0 eth0

When I use my "secure" iptables configuration I get following
logs.
2009/10/12 17:02:16| comm_udp_sendto: FD 6, 53.146.91.248, port 53: (1)
Operation not permitted
2009/10/12 17:02:16| idnsSendQuery: FD 6: sendto: (1) Operation not
permitted

I can't imagine what is going wrong with the server.
Here's the important part of my squid.conf:

cache_peer 53.141.233.100 parent 80 880 proxy-only no-query no-delay
login=A023098:Sept2009
http_port 880 transparent
acl all src 0.0.0.0/0.0.0.0
# definiert die Gruppe servers
acl servers src 192.168.0.1-192.168.0.254/255.255.255.255

#definiert die Gruppe labor
acl labor src 192.168.1.1-192.168.1.254/255.255.255.255

# definiert die Gruppe clients
acl clients src 192.168.1.11-192.168.1.254/255.255.255.255

acl local dst 192.168.0.0/24
always_direct allow local

# subnet ausgegrenzt fuer test - alle ueber ips

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 21 70 80 210 443 563 1025-65535
acl CONNECT method CONNECT

#Eintrag fuer Suchanfragen ueber Formulare
never_direct allow servers

#Default configuration:
#http_access allow QUERY
#http_access allow manager localhost
#http_access allow localhost
#http_access allow clients

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

http_access allow servers
# erlaubt der Gruppe servers Zugriff
http_access deny manager
http_access allow servers

# verweigert der Gruppe clients Zugriff
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny clients

# verweigert dem Rest den Zugriff
# TAG: icp_access
# Reply to all ICP queries we receive
#
icp_access deny all

Regards,
Chris
Received on Mon Oct 12 2009 - 16:20:31 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 13 2009 - 12:00:05 MDT