squid and iptables

yaziron5 · 09-14-2014, 08:33 AM

Hello all:

I am trying to get squid running on my centos machine. The server has two NICs, eth0 tied to internet with DHCP and eth1 tied to the lan with IP 192.168.1.1. I used "yum install squid" and it installed 3.1.10. I have iptables running for firewall and nat. I issued the command
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

I am trying to use a basic squid.conf file just to get it all working. My squid.conf file is (basically the default file with the visible_hostname added, cache_mem added, and all "deny" entries deleted):

Code:

visible_hostname blitz
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 192.168.1.0/24

http_access allow manager localhost
http_access deny manager

http_access allow localnet
http_access allow localhost

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

cache_dir ufs /var/spool/squid 100 16 256

cache_mem 32 MB

coredump_dir /var/spool/squid

When I do a service squid start, it starts fine with no errors or warnings. The /var/log/squid/cache.log file gets appended to and seems okay. Whenever I try to access an http page from my lan (specific IP address of 192.168.1.76), I get a "waiting for respone..." from the website until the timeout and then a page cannot be displayed error. https websites seem to work. In both cases, there is nothing in the /var/log/squid/access.log file. It remains 0 bytes no matter how many times I try to access the internet. Also, /var/log/messages does not show any traffic (not sure if it should, but just indicated that for fyi...)

netstat -van | grep 3128 shows

tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN

I also tried running squid without the "transparent" in the squid.conf file and pointing the web browser on the 192.168.1.76 machine (windows 7) to use a proxy at 192.168.1.1:3128 and it told me the proxy server is not responding. It seems to me that squid is actually not listening, but netstat seems to indicate it is. Also, ps -ef | grep squid shows a squid -f /etc/squid/squid.conf entry, and a (squid) -f /etc/squid/squid.conf entry and a (unlinkd) entry.

I am stumped. I have tried everything I can think of and searched high and low on the internet. Everything seems to indicate that the configurations I have listed will work. Any ideas as to what to do next?

Thanks much

acid_kewpie · 09-15-2014, 02:38 AM

is iptables blocking inbound 3128 conenctions? Show us the output of "iptables -vnL". Also run a tcpdump on the squid server - "tcpdump -i eth1 port 3128" and make a connection from your test client again, see what traffic hits the box.

Note that transparent proxying is often really not the wonderful solution you think it is. I'd always suggest NOT doing that, and just configuring browsers to use it explicitly, potentially with an automatically distributed proxy.pac file.

yaziron5 · 09-15-2014, 09:06 AM

Thanks Kewpie, I am at work right now so I will try that when I get home this evening. I did run the "tcpdump -i eth1" command, but ran it against port 80 instead of 3128. I don't remember the output offhand.

Also, I set iptables filter table policies all to "accept" to make sure that nothing was blocking 3128, and it still did not work.

Ultimately, I am looking for a way to filter websites on my Linux router (kids are getting just old enough that this is becoming a concern.) Is there a better way than using squid? I only ask since you mention that transparent proxying may not be the best solution. I had the same results trying it explicitly anyway that I did doing it transparently (see post above).

As a side note, why are there two entries for squid when doing a "ps -ef" anyway?

yaziron5 · 09-16-2014, 11:24 AM

Last night I found something on the squid wiki page regarding the words "transparent" and "intercept". I thought the two were interchangeable, but the wiki said to use intercept when doing a REDIRECT in iptables. I changed this and it still did not work.
I then changed my policies for all three chains in the filter table to ACCEPT and everything worked! I had made this change previously, but still had the "transparent" keyword.

So, I had a combination of errors, I needed to use the intercept keyword in the squid.conf file and I have something blocking me in iptables. I then changed my OUTPUT chain policy to DROP and left the INPUT policy as ACCEPT and everything stopped working. I then changed my INPUT policy to DROP and my OUTPUT policy to ACCEPT and everything started working again.

Any idea as to what rule I might need to add to the output chain so that I can change the policy back to DROP and still have everything work? It appears that the INPUT chain is fine the way it is. I am not in front of my Linux computer so I can't post all the rules, but I can when I return home if that is needed.

Thanks again!