squid question

marcusaurelius · 08-11-2009, 01:30 AM

Hi,

I believe i asked this question before but the replies led to somewhere else without really resolving the problem. So i need to ask the question again.
I have configured squid proxy IP on my internet explorer browser connection settings; port 3128. I have setup squid to deny all. I have also configured iptables to accept port 3128,443,80. Upon testing, i can see that it is working. But if i type https://kproxy.com for example, it goes through. The thing is, it was working before. I think someone did some config changes on squid.conf and iptables that messed things up. I checked iptables:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*nat
#:PREROUTING ACCEPT [0:0]
#:POSTROUTING ACCEPT [0:0]
#:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
-A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT

squid.conf has
http_port 80
http_port 3128
http_port 443

Please help. Again, it was working before.

win32sux · 08-11-2009, 11:03 AM

Squid only needs to listen on one port (the default 3128 is just fine for most people). I don't know why you're making it listen on ports 80 and 443 too, since that isn't needed. Your iptables rules for the INPUT chain only need to allow inbound connections to 3128/TCP. It's your OUTPUT rules which should allow outbound connections to ports 80, 443, etc.

Quote:

Originally Posted by marcusaurelius

-A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128

This rule doesn't make sense if you are referring to HTTPS. The only way for Squid to be able to transparently proxy HTTPS is if you set it up to do a man-in-the-middle (MITM) attack. If you give it some serious thought and/or do some reading-up on how HTTPS works you'll understand why this is the case. That said, I'm closing this thread and I ask you to continue your discussion at the original location, where you've been getting good advice. Please don't open multiple threads for the same issue.