Proxy won't let me connect, iptables, squid and dansguardian

hindenbergbaby · 07-23-2004, 02:00 PM

Hi all,

I am configuring a transparent proxy using IPTables, squid, and dansguardian on a K12LTSP server (based on Fedora Core 1). I had everything working great, then I changed some filter configuration files and I get the message that my proxy server will not allow me to access the internet, please check proxy settings.

Here is what I've got in squid.conf:

cache_effective_user squid
cache_effective_group squid

http_port 127.0.0.1:3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

# Usage: port

snip snip

iptables# Generated by iptables-save v1.2.9 on Fri Jul 23 14:56:17 2004
*nat
:PREROUTING ACCEPT [239:41567]
:POSTROUTING ACCEPT [13:780]
:OUTPUT ACCEPT [218:13122]
-A POSTROUTING -o eth1 -j MASQUERADE
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
COMMIT
# Completed on Fri Jul 23 14:56:17 2004
# Generated by iptables-save v1.2.9 on Fri Jul 23 14:56:17 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2817:1072481]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Jul 23 14:56:17 2004

here's dansguardian with some snipperos
Network Settings
#
# the IP that DansGuardian listens on. If left blank DansGuardian will
# listen on all IPs. That would include all NICs, loopback, modem, etc.
# Normally you would have your firewall protecting this, but if you want
# you can limit it to only 1 IP. Yes only one.
filterip =

# the port that DansGuardian listens to
# It needs to be greater than 1024
filterport = 8080

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1

# the port DansGuardian connects to proxy on
proxyport = 3128

# accessdeniedaddress is the address of your web server to which the cgi
# dansguardian reporting script was copied
#
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'

daemonuser = 'squid'
daemongroup = 'squid'

# Content filtering files location
bannedphraselist = '/etc/dansguardian/bannedphraselist'
exceptionphraselist = '/etc/dansguardian/exceptionphraselist'
weightedphraselist = '/etc/dansguardian/weightedphraselist'
bannedsitelist = '/etc/dansguardian/bannedsitelist'
exceptionsitelist = '/etc/dansguardian/exceptionsitelist'
exceptionurllist = '/etc/dansguardian/exceptionurllist'
bannedurllist = '/etc/dansguardian/bannedurllist'
bannedregexpurllist = '/etc/dansguardian/bannedregexpurllist'
bannedextensionlist = '/etc/dansguardian/bannedextensionlist'
bannedmimetypelist = '/etc/dansguardian/bannedmimetypelist'
bannediplist = '/etc/dansguardian/bannediplist'
exceptioniplist = '/etc/dansguardian/exceptioniplist'
banneduserlist = '/etc/dansguardian/banneduserlist'
exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
picsfile = '/etc/dansguardian/pics'
contentregexplist = '/etc/dansguardian/contentregexplist'

Anyone see anything seriously amiss? I am using the IP address of eth1 as the proxy, but I've also tried the loopback address and gotten the same message. DIsabling iptables, squid and Dansguardian won't work, but connecting directly to the internet will...

Any ideas (go easy, I'm a newb)

take care

newpenguin · 07-23-2004, 02:45 PM

iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to 127.0.0.1:3128

hindenbergbaby · 07-26-2004, 04:51 PM

Gave that a try, to no avail.

Here's the exact error message: The connection was refused when trying to contact the proxy server you have configured. Please check your proxy settings and try again.

All the rest remains the same.

newpenguin · 07-26-2004, 06:24 PM

simply because port is open only for loopback ip.
i though u r using it in transperant mode.

change the first line to

http_port 3128

huangyong · 12-02-2009, 03:45 AM

I have checked through squid.conf through for a long time,and i failed.
then i reboot the proxy server. and the squid reboot.
I try squidclient -p 80 mgr:info
shell echo client: ERROR: Cannot connect to localhost:80: Connection refused

and then i tried squidclient -p 80 -h [my sever's ip]mgr:info
and a lot of information was printed.

maybe this will be help for you.