Re: [squid-users] Interception proxy with DNAT using squid 3.3.1

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 18 Feb 2013 16:08:00 +1300

On 18/02/2013 2:47 p.m., Ghassan Gharabli wrote:
> Hello,
>
> Ive been trying to solve this problem for the past three days but
> wasnt successfull.
>
>
> I want to setup an interception proxy with DNAT.
>
> SQUID ---> MIKROTIK Router ----> CLIENT PC
>
> Squid Configure Options: --enable-ssl --enable-ssl-crtd
> --enable-icap-client --with-filedescriptors=8192
> --enable-ltdl-convenience
>
>
>
> MY Squid config :
> -----------------------
> #
> # Recommended minimum configuration:
> #
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly
> plugged) machines
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> http_access allow localnet
> http_access allow localhost
> http_access deny all
>
>
> http_port 0.0.0.0:8080
> http_port 0.0.0.0:3128 intercept
> #http_port 192.168.10.4:3128 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=10MB
> cert=/usr/local/squid/ssl_cert/myCA.pem
> #https_port 192.168.10.4:3129 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=10MB
> cert=/usr/local/squid/ssl_cert/myCA.pem
>
> cache_dir ufs /usr/local/squid/var/cache/squid 10000 16 256
>
> # Leave coredumps in the first cache dir
> coredump_dir /usr/local/squid/var/cache/squid
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> always_direct allow all
> acl broken_sites dstdomain .example.com
> ssl_bump none localhost
> ssl_bump none broken_sites
> ssl_bump server-first
>
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> sslproxy_cert_adapt setCommonName
> #sslproxy_cert_sign signTrusted
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
> /usr/local/squid/var/lib/ssl_db -M 10MB
> sslcrtd_children 5
>
>
> forwarded_for transparent
> #visible_hostname cache2.skydsl.net
> #offline_mode on
> maximum_object_size 100000 KB
>
> ERROR I AM GETTING :
> ----------------------------------
> The following error was encountered while trying to retrieve the URL:
> http://www.cnn.com/
> Connection to 192.168.10.4 failed.
> The system returned: (111) Connection refused
> The remote host or network may be down. Please try the request again.
> ----------------------------------
>
> I tried everything was mentioned at
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
>
> [root_at_cache2 ~] # iptables -t nat --list rules
> -P PREROUTING ACCEPT
> -P INPUT ACCEPT
> -P OUTPUT ACCEPT
> -P POSTROUTING ACCEPT
> -A PREROUTING -s 192.168.10.4/32 -p tcp -m tcp --dport 80 -j ACCEPT
> -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128
> -A POSTROUTING -j MASQUERADE
>
> [root_at_cache2 ~] # iptables -t mangle --list-rules
> -P PREROUTING ACCEPT
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -P POSTROUTING ACCEPT
> -A PREROUTING -s 192.168.10.4/32 -p tcp -m tcp --dport 80 -j ACCEPT
>
>
> What do you think the problem might be?

Those settings are correct for Squid and the Squid box iptables. So the
problem is being introduced elsewhere ...

... something along the route between client and Squid box is setting
the cnn.com destination IP address to 192.168.10.4.

The Mikrotik doing DNAT?
Some DNS forgery sending teh client to that IP directly? (dnsmasq)

Amos
Received on Mon Feb 18 2013 - 03:08:16 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 18 2013 - 12:00:03 MST