LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 05-09-2007, 07:01 AM   #1
Ronin_tekorei
Member
 
Registered: May 2006
Distribution: Fedora
Posts: 57

Rep: Reputation: 15
Question squid denies access to clients


Hello good people of Linux Questions.
I recently have upgraded my squid to the version 2.6.
Right in the begining encounter problems... It seems this new version changed the way to configure it for a transparency proxy.
After searching in google i have manage to confiruge it to transparent proxy server. But when a user machine tray to navigate throughout the proxy server it give the error of Access Denied. In the access control i have give permisions for him to use the proxy but it not seem to work.
This server have to be giving service just for the internal lan. Service are:
- Access to the internet throughout squid transparent proxy.
- Internal server for: Web page (httpd), Web Mail (webmail of apache server), ftp (vsftd) and Internal DNS (BIND 9.3.4).
So far all work great but the squid does not work. This is the part of log from the file access.log ot the squid while the machine2.internaldomain.home open the mozilla and try to open pages:
Code:
..
1178674986.492    447 192.168.1.2 TCP_DENIED/403 1346 GET http://www.google.com.py/ - DIRECT/64.233.161.104 text/html
1178674988.571    668 192.168.1.2 TCP_DENIED/403 1346 GET http://www.google.com.py/ - DIRECT/64.233.161.147 text/html
..
Now here goes my config for the server =D
Devices configs.
Conection to the internet:
Code:
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
HWADDR=xx:xx:xx:xx:xx:xx
NETMASK=255.255.255.252
IPADDR=172.18.3.30
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
GATEWAY=172.18.3.29
Conection to the Internal LAN
Code:
TYPE=Ethernet
DEVICE=eth1
HWADDR=xx:xx:xx:xx:xx:xx
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.1.254
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=yes
resolv.conf file:
Code:
search tekorei.home
nameserver 127.0.0.1
named.conf
Code:
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
query-source address * port 53;
listen-on { 127.0.0.1; 192.168.1.254; };
allow-query { 127.0.0.1; 192.168.1.0/24; };
..Deleted Content..
zone "internaldomain.home" IN {
type master;
file "data/internaldomain.home.zone";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "data/reverse.internaldomain.home.zone";
allow-update { none; };
};
..Deleted Content..
internaldomain.home.zone file
Code:
;
$TTL 1D
@ IN SOA server.internaldomain.home. sysadmin.internaldomain.home. (
2007050301 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D ) ; Minimum
IN NS server;
IN MX 10 server;
internaldomain.home. IN A 192.168.1.254;
server IN A 192.168.1.254;
www IN CNAME server;
ftp IN CNAME server;
mail IN CNAME server;
machine1 IN A 192.168.1.1;
machine2 IN A 192.168.1.2;
reverse.internaldomain.home.zone file
Code:
;
$TTL 1D
@ IN SOA server.internaldomain.home. sysadmin.internaldomain.home. (
2007050301;
8H;
2H;
4W;
1D );
IN NS server.internaldomain.home.
254 IN PTR server.internaldomain.home.;
1 IN PTR machine1.internaldomain.home.;
2 IN PTR machine2.internaldomain.home.;
squid.conf file
Code:
http_port 3128 transparent
icp_port 3130
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir ufs /var/spool/squid 3000 16 256
access_log /var/log/squid/access.log squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern .		0	20%	4320
acl manager proto cache_object
acl all src 0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl network1 src 192.168.1.0/255.255.255.0<--This one was set to "red1" now it is correct thanks to acid_kewpie.
always_direct allow all
http_access allow manager localhost
http_access deny manager
http_access deny CONNECT !SSL_ports
http_access allow network1
http_access deny all 
http_reply_access allow all
icp_access allow all
error_directory /usr/share/squid/errors/Spanish
coredump_dir /var/spool/squid
In the original file acl network1 is called acl red1 in spanish, i translated to english for you all it was an error of translation. In the original file they are called acl red1 and http_access allow red1 sorry for this
iptables config. Default policy are set to accept. No other rules are set besides this ones becose i'm still working on the iptables rules to have default policy to drop.
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $172.18.3.30
I also have configured the internal server for web pages (httpd), dovecot and senmail for internal mail and the vsftpd. If needed i will post the config for each one of this services.
Does someone can help?

Last edited by Ronin_tekorei; 05-09-2007 at 08:21 PM.
 
Old 05-09-2007, 07:08 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
your acl's in squid are clearly useless...

http_access allow manager localhost <-- not matched as not manager on localhost
http_access deny manager <-- not matched as not manager
http_access deny CONNECT !SSL_ports <-- not matched as not SSL
http_access allow network1 <- not matched as network1 doesn't seem to exist
http_access deny all <-- DENY
 
Old 05-09-2007, 07:37 PM   #3
Ronin_tekorei
Member
 
Registered: May 2006
Distribution: Fedora
Posts: 57

Original Poster
Rep: Reputation: 15
Sorry acid_kewpie, i don't get it... coul you explain to me please?
What do you meant by "not matched" & i see that i put "red1" and no "network1" that one is now ok
http_access allow manager localhost <-- not matched as not manager on localhost
http_access deny manager <-- not matched as not manager
http_access deny CONNECT !SSL_ports <-- not matched as not SSL
http_access allow network1 <- not matched as network1 doesn't seem to exist
http_access deny all <-- DENY

Do i have to put like this?
http_access allow !manager localhost <-- not matched as not manager on localhost
http_access deny !manager <-- not matched as not manager
http_access deny !CONNECT !SSL_ports <-- not matched as not SSL
http_access allow network1 <- not matched as network1 doesn't seem to exist
http_access deny all <-- DENY

Can you tell me a little more?

Last edited by Ronin_tekorei; 05-09-2007 at 07:39 PM.
 
Old 05-09-2007, 08:26 PM   #4
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 56
edit:
Nuts, just ignore me
 
Old 05-10-2007, 02:27 AM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
i take it you really really don't understand squid acl's at all right?

based on the acl's you have, you are telling it to block ALL normal requests. it's doing exactly what is being asked of it. the only point in the acl's where there's a chance for being connected outside the local machine is where network1 is being permitted. but networks1 is not defined anywhere...
 
Old 05-10-2007, 04:24 AM   #6
Ronin_tekorei
Member
 
Registered: May 2006
Distribution: Fedora
Posts: 57

Original Poster
Rep: Reputation: 15
Well, i do understand something..

what i did was:
Defined manager --> acl manager...
defined all posible request --> acl all...
defined localhost --> acl localhost...
defined the secure ports --> acl SSL_ports...
difined the conection it selft --> acl CONNECT...
defined the only network that i want to have access to squid --> acl network1

And after that, i start to close and open things up, the squid accept the first rule like iptables... so they ares post in order to be secure. like this..

http_access allow manager localhost--> so here i let manager if its comming from localhost.
http_access deny manager--> now deny manager form any other source.
http_access deny CONNECT !SSL_ports--> deny connections that don't came from the secure ports
http_access allow network1--> open all for network1 to conect to squid.
http_access deny all--> deny all other conections.

First will open conection to manager from localhost. If the petition manager come from other source that is not localhost it is denied. The other rule to CONNECT i really have to admit that don't get it. I have copy that from a papper that says it is for just deny conection that are not coming from good ports. Then i open the conecction for network1 and after that close all other petitions so no one can cannect whitoutgh my permition.

If ther is something wron please point it to me
Please homey help me here too what was that you say?

Last edited by Ronin_tekorei; 05-10-2007 at 04:28 AM.
 
Old 05-10-2007, 04:28 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
so where's the definition for network1?

CONNECT !SSL_ports means that the HTTP CONNECT method is only allowed to connect on ports which are known to require this, e.g. HTTPS. if someone is trying to use that method on an unknown / non-standrd port, e.g. 1234, it is most likely a dubios thing going on, and so is denied. not relevant here at all thoguh to be honest.
 
Old 05-10-2007, 07:59 AM   #8
Ronin_tekorei
Member
 
Registered: May 2006
Distribution: Fedora
Posts: 57

Original Poster
Rep: Reputation: 15
I have edited the code for the squid whit the correct one.. now if you look at it it will show that the acl for network1 is there.
I have tray and deleted all the acl and http_access and leave just the acl for "network1" one and the http_access for it.
It is the same as before, the denied log messege continue. I just don't undertand whay is this hapening. It is really a problem of the squid? or is another problem? If the client machine gets the error "denied" it meas that the squid is listening but no accepting it as one machine inside of the "network1"?. Any idea?
i really know just the basics to configure squid 2.5 as a transparent proxy. Before it was ok, i meant when it was squid 2.5, after i have update squid the problems startet

Last edited by Ronin_tekorei; 05-10-2007 at 08:04 AM.
 
Old 05-10-2007, 08:49 AM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
ok, weell i'd still wonder about the config, editing the original doesn't prove that your actual config is now correct... please post the FULL config agani, along with the squid access log showing the issues you're having.
 
Old 05-11-2007, 10:35 PM   #10
Ronin_tekorei
Member
 
Registered: May 2006
Distribution: Fedora
Posts: 57

Original Poster
Rep: Reputation: 15
Resolved

Hello!!! I have good news! now it is working!

The problem was that i did not know about the funtion of "follow_x_forwarded_for" The squid makes the defaul value for it to: "follow_x_forwarded_for deny all". So, the "acl all src 0.0.0.0" is every trafic that its comming. if the defaul value is "..deny all" it was doing what the default say to do.

The solution was to put in the last line ot the squid.conf:

Code:
http_port 192.168.1.254:3128 transparent
icp_port 3130
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir ufs /var/spool/squid 3000 16 256
access_log /var/log/squid/access.log squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

acl manager proto cache_object
acl all src 0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl network1 src 192.168.1.0/255.255.255.0

always_direct allow network1
http_access allow manager localhost
http_access deny manager
http_access deny CONNECT !SSL_ports
http_access allow network1
http_access deny all

http_reply_access allow network1
icp_access allow network1

error_directory /usr/share/squid/errors/Spanish
coredump_dir /var/spool/squid
follow_x_forwarded_for allow network1 --> This one here =D
So it is done.. thanks a lot acid_kewpie!!!
Quote:
...editing the original doesn't prove that your actual config is now correct...
thanks to that i have go deep in the config and found the solution!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ripperX denies me access to CD Drive d00bid00b Linux - Software 10 04-30-2006 04:34 PM
restrict and allow my clients to access my squid services on the bases of MAC add. shahg_shahg Linux - Security 1 04-14-2006 02:46 AM
in.rsdh denies access to root sylliaad Linux - Security 2 07-13-2005 07:23 PM
Here on Win/Iexplorer: Linux denies Access to the Net? JZL240I-U Linux - General 6 07-19-2004 01:29 AM
Squid denies everything ryhackl Linux - Networking 3 06-11-2003 04:42 AM


All times are GMT -5. The time now is 07:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration