need help on centos 6.5 (Squid 3.1 related quires)
 

Installed centos 6.5, configured squid 3.1 , internet is working on clients , even mac binding working good, but not happening any outgoing connections.

Example: I need to take outsider remote connection, or ssh , its not happening , even this server ssh is not happening from outside...


Tried with opening port no in iptables as well as in squid.conf file, not succeed ...


Kiran...

Squid is an HTTP proxy....it does NOT work with ANY other ports, period. So if you want connections through your firewall to different ports, you're going to have to open those ports in your firewall and/or perform redirections. Squid doesn't enter into anything as far as SSH, telnet, FTP, or any other service.

Hi TB0ne,

Thanks for your reply,

I have tried to open 22, 3389 port in iptables (this line i have added in /etc/sysconfig/iptables file -> -A INPUT -m state --state NEW -m tcp -p tcp --dport 3389 -j ACCEPT for tcp and udp both), but even its not working in windows client system, I tried to do ssh and mstsc for outside server which is location in public network...given squid.conf and iptables file below, please let me correct where i am doing mistake...

MY IPTABLES FILE

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3389 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


Below posted my squid config file for simple basic configuration...

#
# Recommended minimum configuration:
#
acl myoffice src 172.16.44.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_locaiilhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3389 # RDP
acl Safe_ports port 22 # SSH
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports --------------------> also here tried with allow option

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports --------------------> also here tried with allow option


# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#full access for internet
#fullaccess


acl ban076mac arp 00:AA:BB:22
acl ban076ip src 172.16.44.76
http_access allow ban076mac ban076ip

#block website and words

acl business_hours time S M T W H F A 00:01-23:59
acl blockwebsite url_regex "/etc/squid/blockwebsite.txt"
acl blockword url_regex "/etc/squid/blockword.txt"
acl freetime1 time M T W H F 09:00-18:00
http_access deny blockwebsite freetime1
http_access allow blockwebsite
http_access deny blockword freetime1
http_access allow blockword

#limitedaccess
acl ban075mac arp 00:AA:BB:33
acl ban075ip src 172.16.44.50
http_access allow ban075mac ban075ip

#acl blockword url_regex "/etc/squid/blockword.txt"
#http_access deny blockword

#acl regwebsite dstdomain "/etc/squid/blockwebsite.txt"
#http_access deny regwebsite

#acl ipacl url_regex http://[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*
#http_access deny ipacl
#acl numeric_IPs url_regex ^[0-9]+.[0-9]+.[0-9]+.[0.9]+
#http_access deny numeric_IPs

http_access deny myoffice

#http_access deny all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy

http_access deny !myoffice
http_access deny all

visible_hostname myofficeproxy

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid


# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320


Thanks....

Again, there is NOTHING squid can do to manage, block, or route ANYTHING...it is for HTTP, period. That's it. And opening things in IPtables will only make a difference, if that is the ONLY thing between your internal network and the internet. If you have any other firewalls/routers, you have to open the ports THERE. If you want to test it, then turn off iptables for a few minutes...if you can get out, then you know where the problem is.

Hi,

Thanks,

As you said I understood well thanks, but on the same network I am working with RHEL 5.3 squid, there all ports are working fine, But in centos 6.5 only blocking my ports. I am new for Centos 6.5. also as per you said I have tried with service iptables stop and checked in client machine, internet is working in browser but MSTSC or SSH are not working...

Sorry for disturb you, but its my requirement for future upgrade in my company...

Regards,
Kiran,

AGAIN, Squid has NOTHING to do with MSTSC or SSH, period...at all...ever. So, AGAIN, you need to check what is BEYOND that machine...that is, the routers/switches/firewalls that come AFTER it.

Since you've ruled out that IPTables is blocking it, have you actually looked at the IPtables rules on the machine that IS working??? Tried to apply those same settings?? It could be that things are NAT'ted there.

Thanks,

Can you give me iptables rule line, so which can be open my ports, simple network which i configured public IP in one NIC and another NIC i configured local IP,

Now please give me some iptables line for MSTSC and SSH. (Sorry pls dont get hesitate by my silly que)

Thanks,
Kiran

Read the LQ Rules, and quit using text-speak...spell out your words. It's "please", not 'pls'.

And do you not understand what you've been told??? You said you have turned off IPtables, and that you also have a working system on the same network. So, AGAIN

• Look at the working machine, and find the rule(s) (if there even ARE any), that relate to how you have those protocols set up
• Check the routers/switches/firewalls further upstream to see if they are opened for your new Squid server

Doesn't get much simpler than that. You can find examples of iptables rules with a brief Google search, and a search on this site. Not going to look them up for you, sorry. And you can set up protocols to run on ANY port, so whatever example you get handed may not work for you...so you need to show some effort of your own.