Squid Interception Proxying Troubles

Thu Nov 2 10:32:06 MST 2006

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Erik,
Checking my iptables rules I find that I have postrouting set as well.
Chain POSTROUTING (policy ACCEPT)
target	prot	opt	source		destination
SNAT	all	--	anywhere	anywhere	to:10.0.0.2

to: is set to the outside nic of the Squid/firewall machine.
Also are you redirecting "outside" port 80 to 3128 on the squid machine
and if so is squid accepting connections on 3128? I'm not entirely
certain that 80 needs to be redirected on the squid machine if you
already have a router doing that for you.

Erik Bixby wrote:
> As I said in my initial post, I have read every word of Squid's FAQ on
> the matter, and I have my iptables set up properly:
> root at filter:~# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> REDIRECT   tcp  --  anywhere             anywhere            tcp
> dpt:www redir ports 3128
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> root at filter:~#
> 
> I have no expectation that we will be filtering SSL.  There was a post
> on the matter earlier, from someone else.  Perhaps, you are confusing
> the two.  Although, I do appreciate your attention and willingness to
> try and help.
> 
> Where I've run into trouble is it seems as though I have everything
> setup properly.  Squid works if you connect directly to it.  The GRE
> tunnel establishes a connection to the router.  Squid registers itself
> with the router and is recognized.  Traffic is forwarded to the Squid
> box.  I've verified this with Ethereal; with Squid not registered with
> the router, eth0 doesn't see traffic from my browser.  With Squid
> registered with the router, I see the traffic on eth0, but nothing
> more ever happens...
> -Erik
> 
> On 11/1/06, JT Moree <moreejt at pcxperience.com> wrote:
> Erik Bixby wrote:
>>>> SquidGuard runs fine.  With a browser configured to use the proxy
>>>> directly, everything works.  It's only when trying to intercept
>>>> traffic that things fall down.  I can get the packets from the client
>>>> to the web server to either the Ethernet or GRE virtual interface on
>>>> the Squid box, but Squid does nothing with them.  That is my problem;
>>>> how to get Squid to act on HTTP requests that are neither originated
>>>> from nor destined for it.
> huh?  Try using the firewall on the squid box to forward incoming
> traffic for port 80 to the squid port.  Unless you are running squid at
> port 80--which is possible I suppose.
> 
> If you are trying to automatically forward port 443 (ssl) i don't think
> that will work.  ssl traffic will need to use the proxy setup in the
> browser.
> 
> If I understand what you are trying to do it involves more than just
> squid to do it.  Probably need to re-direct all port 80 traffic that is
> not from the squid box to the squid box on the real firewall.  Then
> allow squid box to access port 80 through the firewall.
> 
> Is the proxy server (squid) the same as the firewall?  same principles
> apply just on one machine rather than over the network.
> 
> --
> JT Morée
> PC Xperience, Inc.
>>
- --
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
>>
- ---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFSiuVIFnqWH4u/3MRAgHWAKDSG3l2g3mrpiJJX0ec97VKIls4hACgnJq+
x8N4L//yv8egc3wGKQ4nm58=
=dTze
-----END PGP SIGNATURE-----