If I understand your iptables script, you have a transparent setup that
grabs all traffic leaving port 80 on the outer interface (the one 'closest'
to the internet). This should be consistent with what your proxy is
showing. We would need to know more about the physical connections of the
two machines. Are they both NAT'ed? Does the other machine (the one that
initially worked properly) have the same/similar iptables script?
Brian
-----Original Message-----
From: Maria Dolores [mailto:mshk@caton.es]
Sent: Thursday, January 05, 2006 2:17 AM
To: Brian Phillips
Subject: RE: [squid-users] access denied with squid-3.0
Thanks Brian,
With your instruction I have achieved squid works without problems,
even several squid instances.
I don't initiate the conexion with the proxy in any manner because my
system works with squid like a local proxy. The configuration of
iptables I use for a user 'fulano', with squid in the port 3128:
*nat
:PREROUTING ACCEPT [463:69228]
:POSTROUTING ACCEPT [3343:204776]
:OUTPUT ACCEPT [3257:199616]
:proxy_fulano - [0:0]
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner fulano -j
proxy_fulano
-A proxy_fulano -m owner --uid-owner squid -j RETURN
-A proxy_fulano -p tcp -j REDIRECT --to-ports 3128
Thanks again for your help
Kind regards
Maria D.
El mié, 04-01-2006 a las 11:39 -0700, Brian Phillips escribió:
> You are getting a "access denied" because in the squid.conf of your
acept-2
> machine, you need the lines:
>
> acl acept2 src 192.168.1.31/32
> http_access accept acept2
>
> In between these lines:
>
> acl localhost src 127.0.0.1/255.255.255.255
> http_access allow localhosts
>
> Final config would be:
>
> acl localhost src 127.0.0.1/255.255.255.255
> acl acept2 src 192.168.1.31/32
> http_access allow acept2
> http_access allow localhost
> http_access deny all
>
> As for where squid pulls the ip address of the machine, I think in the
> access.log it actually pulls the ip address of the requesting machine, and
> only does a lookup if you want to see hostnames in your log file, rather
> than ip addresses. You should probably tell us how you are initiating
these
> connections to the proxy, and if you are using any type of redirection
like
> iptables or the sorts.
>
> Brian
>
> -----Original Message-----
> From: Maria Dolores [mailto:mshk@caton.es]
> Sent: Wednesday, January 04, 2006 3:40 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] access denied with squid-3.0
>
> Greetings,
>
> I have installed squid-3.0 with squidGuard-1.2.0 in two different linux
> systems, the configuration of squid in both is identical.
> In one of them squid works properly, in the other I obtain the message
> 'ERROR ... Access denied' when I try to access to the web through the
> proxy.
> Neither error message is showed in the squid logs in the second system,
> the only difference I have observed is at the access.log file:
>
> In the first system the messages in this file are:
> 113... 470 127.0.0.1 TCP_REFRESH_MISS /....
>
> In the second system instead of 127.0.0.1 is showed the public IP of the
> host:
> 113... 0 192.168.1.31 TCP_DENIED /403 ....
>
> The file /etc/hosts in the first machine (acept) has the aspect:
> 127.0.0.1 acept localhost
> In the second machine (acept-2) this line was:
> 127.0.0.1 localhost.localdomain localhost acept-2
> I have changed this line for:
> 127.0.0.1 acept-2 localhost
> However the messages in access.log continue showing the public IP and
> the problem persists.
>
> What could this error be due to? Where does squid obtain the IP of the
> machine?
>
> The squid.conf file's content in both systems is:
> http_port 3128 transparent
> hierarchy_stoplist cgi-bin ?
> acl all src 0/0
> no_cache deny all
> cache_dir null /tmp
> access_log /usr/squid/var/logs/access.log
> cache_log /usr/squid/var/logs/cache.log
> cache_store_log /usr/squid/var/logs/store.log
> hosts_file /etc/hosts
> redirect_program /usr/squidGuard/bin/squidGuard
> -c /usr/squid/etc/squidGuard.conf
> redirect_children 4
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher:1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl localhost src 127.0.0.1/255.255.255.255
> http_access allow localhosts
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> cache_effective_user squid
> cache_effective_group squid
> visible_hostname acept
> coredump_dir /usr/squid/var/cache
>
> Thanks
> Maria D.
>
Received on Thu Jan 05 2006 - 09:55:19 MST
This archive was generated by hypermail pre-2.1.9 : Wed Feb 01 2006 - 12:00:01 MST