squid proxy refuses to connect remote server through ssh

yukinK · 02-14-2008, 04:15 AM

i have run rhel3.
i had set up the squid proxy for internet connection.
i am able to browse the web successfully.
but i am unable to connect the remote server using ssh.and even cant ping any public ip from my windows client machine.
And able to connect LAN server's using ssh.

my squid.conf
-------------
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl CONNECT method CONNECT
http_access allow all
http_access allow manager localhost
http_access deny manager
http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all
icp_access allow all
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid
-----

eth0 connected to LAN
eth1 connected to InterNet
-----
eth0
-----
NAME=""
#GATEWAY=10.255.255.254
GATEWAY=10.0.0.3
BOOTPROTO=none
PEERDNS=yes
TYPE=Ethernet
DEVICE=eth0
MTU=""
NETMASK=255.0.0.0
BROADCAST=10.255.255.255
IPADDR=10.0.0.3
NETWORK=10.0.0.0
ONBOOT=yes
USERCTL=no
------
-------
eth1
-------
NAME=""
GATEWAY=xxx.xx.xxx.x
BOOTPROTO=none
PEERDNS=yes
TYPE=Ethernet
DEVICE=eth1
MTU=""
NETMASK=255.255.255.0
BROADCAST=xxx.xx.xxx.xxx
IPADDR=xxx.xx.xxx.xxx
NETWORK=xxx.xx.xxx.x
ONBOOT=yes
USERCTL=no
----
please help.

acid_kewpie · 02-14-2008, 04:32 AM

can you define the problem you're having more effectively? are you trying to SSH to a server *through* squid? that's not possible (well you can tunnel ssh over port 80, but that doesn't appear to be what you're asking for). Squid certainly isn't there to permit you to ping a remote box, only get web content from it.

yukinK · 02-14-2008, 06:11 AM

yes.
you are correct , squid only serve the web content.
i have another machine setted up running squid proxy.using that proxy macine i am able to browse the web and SSH to my remote server , just like having direct intrenet conection setting up in windows machine.

but i am able to ping and SSH to remote server from that problemd box's terminal.
not using that box as proxy on my windows client.
eventhough , i have stoped firewall on that box. but its not working.

if the problem not with squid and iptables, then where the problem starts from?
i have been trying to fix this since last week.

any glues?

please... help

acid_kewpie · 02-14-2008, 06:13 AM

well to route *through* a box you need to enable routing / ip forwarding on it. which absolutely nothing whatsoever to do with squid. is this box your default gateway already? if so "echo 1 > /proc/sys/net/ipv4/ip_forward" would be the first step on the path.

yukinK · 02-14-2008, 06:40 AM

i have checked that,

for your referance my /etc/sysctl.conf

[root@STserver etc]# cat sysctl.conf
kernel.sysrq=0
net.ipv4.ip_forward=1
net.ipv4.conf.default.rp_filter=1
kernel.core_uses_pid=1

thanks.

acid_kewpie · 02-14-2008, 06:49 AM

so why didn't you say that in the first place?

so where does a traceroute take you?

yukinK · 02-14-2008, 08:19 AM

hi chris,

which IP i need to traceroute . the box one (eth0) or internet static ip (eth1).

[root@STserver etc]# traceroute stserver
traceroute to stserver (10.0.0.3), 30 hops max, 38 byte packets
1 stserver (10.0.0.3) 0.071 ms 0.017 ms 0.014 ms

and

[root@STserver etc]# traceroute xxx.xx.xxx.xxx
traceroute to xxx.xx.xxx.xxx (xxx.xx.xxx.xxx), 30 hops max, 38 byte packets
1 stserver (xxx.xx.xxx.xxx) 0.072 ms 0.044 ms 0.014 ms

Thanks.

acid_kewpie · 02-14-2008, 09:15 AM

i mean traceroute to somewhere on the net, e.g. google

yukinK · 02-14-2008, 11:12 PM

hi chris ,
sorry for the late reply.

i did that .. it seeems to be normal.

[root@STserver root]# traceroute yahoo.com
traceroute: Warning: yahoo.com has multiple addresses; using 216.109.112.135
traceroute to yahoo.com (216.109.112.135), 30 hops max, 38 byte packets
1 ABTS-TN-Static-001.0.165.122.airtelbroadband.in (122.165.0.1) 9.864 ms * 21.102 ms
2 ras-Chn-165.227.95.61.airtelbroadband.in (61.95.227.165) 8.851 ms 15.698 ms 10.096 ms
3 61.95.240.129 (61.95.240.129) 23.160 ms 9.084 ms 10.175 ms
4 125.21.167.25 (125.21.167.25) 10.756 ms 9.373 ms 19.675 ms
5 203.208.192.165 (203.208.192.165) 189.755 ms 188.701 ms 250.294 ms
6 xe-1-0-0-0.sngtp-cr1.ix.singtel.com (203.208.183.61) 189.468 ms 194.324 ms 371.032 ms
7 so-7-0-0-0.plapx-cr2.ix.singtel.com (203.208.149.182) 261.884 ms 271.470 ms 264.094 ms
8 ge-2-1-0-0.plapx-dr2.ix.singtel.com (203.208.168.110) 258.458 ms ge-1-0-1-0.plapx-dr2.ix.singtel.com (203.208.171.126) 278.289 ms ge-2-1-0-0.plapx-dr2.ix.singtel.com (203.208.168.110) 324.912 ms
9 203.208.186.10 (203.208.186.10) 249.287 ms 203.208.145.162 (203.208.145.162) 248.584 ms 203.208.186.10 (203.208.186.10) 248.558 ms
10 so-1-0-0.pat1.dax.yahoo.com (216.115.101.133) 283.068 ms so-1-1-0.pat2.dce.yahoo.com (216.115.101.131) 424.000 ms so-1-0-0.pat1.dax.yahoo.com (216.115.101.133) 283.022 ms
MPLS Label=232144 CoS=1 TTL=1 S=0
11 so-4-1-0.pat1.dce.yahoo.com (216.115.101.144) 337.773 ms ge-0-1-0-p190.pat1.dcp.yahoo.com (216.115.108.37) 303.999 ms 305.497 ms
12 ge-0-1-0-p180.pat1.dcp.yahoo.com (216.115.108.33) 338.755 ms ge-1-0-0-p130.msr2.dcn.yahoo.com (216.115.108.53) 313.099 ms ge-0-1-0-p180.pat1.dcp.yahoo.com (216.115.108.33) 341.907 ms
13 ge-1-0-0-p120.msr1.dcn.yahoo.com (216.115.108.49) 326.233 ms ge9-3.bas1-m.dcn.yahoo.com (216.109.120.219) 341.200 ms ge9-3.bas2-m.dcn.yahoo.com (216.109.120.155) 391.070 ms
14 * ge7-2.bas2-m.dcn.yahoo.com (216.109.120.197) 337.785 ms ge7-1.bas2-m.dcn.yahoo.com (216.109.120.207) 341.198 ms
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

and

[root@STserver root]# traceroute google.com
traceroute: Warning: google.com has multiple addresses; using 64.233.187.99
traceroute to google.com (64.233.187.99), 30 hops max, 38 byte packets
1 ABTS-TN-Static-001.0.165.122.airtelbroadband.in (122.165.0.1) 11.419 ms 13.980 ms 14.755 ms
2 ras-Chn-165.227.95.61.airtelbroadband.in (61.95.227.165) 9.078 ms 9.990 ms 9.653 ms
3 61.95.240.129 (61.95.240.129) 9.265 ms 9.071 ms 9.107 ms
4 125.21.167.25 (125.21.167.25) 8.834 ms 10.063 ms 8.848 ms
5 203.208.192.165 (203.208.192.165) 188.725 ms 189.581 ms 198.800 ms
6 203.208.169.34 (203.208.169.34) 81.018 ms * 73.906 ms
7 209.85.254.168 (209.85.254.168) 42.093 ms 42.327 ms 42.157 ms
8 209.85.254.215 (209.85.254.215) 123.487 ms 120.961 ms 118.252 ms
9 209.85.250.105 (209.85.250.105) 120.989 ms 121.677 ms 121.708 ms
MPLS Label=544755 CoS=1 TTL=1 S=0
10 * * *
11 216.239.47.237 (216.239.47.237) 250.336 ms 250.085 ms 241.710 ms
MPLS Label=525678 CoS=1 TTL=1 S=0
12 72.14.233.53 (72.14.233.53) 240.214 ms 244.138 ms 242.773 ms
MPLS Label=720900 CoS=1 TTL=1 S=0
13 209.85.130.56 (209.85.130.56) 283.995 ms 359.440 ms *
14 72.14.236.15 (72.14.236.15) 281.755 ms 281.353 ms 276.923 ms
15 216.239.49.222 (216.239.49.222) 276.452 ms 270.732 ms 271.515 ms
16 jc-in-f99.google.com (64.233.187.99) 274.981 ms 273.144 ms 271.748 ms

please help.

yukinK · 02-14-2008, 11:26 PM

my problem description,

In side the linux box.
1. Able to browse the web.
2.Able SSH and ping the remote server as well as the LAN.

Using the linux box as proxy on my windows client.
1.Able to browse the web.
2.Unable to SSH and ping the remote server.
3.Able to SSH and ping the other linux boxes on the LAN.

any help would be appreciated.

megerdin · 02-16-2008, 09:17 AM

trying using NAT in your Linux firewall.