LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 08-11-2009, 01:30 AM   #1
marcusaurelius
LQ Newbie
 
Registered: Aug 2009
Posts: 6

Rep: Reputation: 0
squid question


Hi,

I believe i asked this question before but the replies led to somewhere else without really resolving the problem. So i need to ask the question again.
I have configured squid proxy IP on my internet explorer browser connection settings; port 3128. I have setup squid to deny all. I have also configured iptables to accept port 3128,443,80. Upon testing, i can see that it is working. But if i type https://kproxy.com for example, it goes through. The thing is, it was working before. I think someone did some config changes on squid.conf and iptables that messed things up. I checked iptables:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*nat
#:PREROUTING ACCEPT [0:0]
#:POSTROUTING ACCEPT [0:0]
#:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
-A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]



-A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT


squid.conf has
http_port 80
http_port 3128
http_port 443

Please help. Again, it was working before.
 
Old 08-11-2009, 11:03 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Squid only needs to listen on one port (the default 3128 is just fine for most people). I don't know why you're making it listen on ports 80 and 443 too, since that isn't needed. Your iptables rules for the INPUT chain only need to allow inbound connections to 3128/TCP. It's your OUTPUT rules which should allow outbound connections to ports 80, 443, etc.
Quote:
Originally Posted by marcusaurelius View Post
-A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
This rule doesn't make sense if you are referring to HTTPS. The only way for Squid to be able to transparently proxy HTTPS is if you set it up to do a man-in-the-middle (MITM) attack. If you give it some serious thought and/or do some reading-up on how HTTPS works you'll understand why this is the case. That said, I'm closing this thread and I ask you to continue your discussion at the original location, where you've been getting good advice. Please don't open multiple threads for the same issue.

Last edited by win32sux; 08-11-2009 at 11:09 AM.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
question about squid adam_blackice Linux - Server 10 08-07-2007 01:48 AM
squid question bluesky2005 Linux - Software 6 04-09-2005 02:33 PM
Squid Question offaxis Linux - Networking 1 09-27-2004 07:46 PM
Squid Question offaxis Debian 1 09-27-2004 04:03 PM
Squid Question kemplej Linux - Networking 0 04-22-2004 04:28 PM


All times are GMT -5. The time now is 01:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration