LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-24-2007, 09:42 PM   #1
davimint
Member
 
Registered: Jan 2006
Distribution: Slackware Current
Posts: 272

Rep: Reputation: 33
squid proxy on slackware TCP_DENIED/403


Trying to set up a "transparent proxy" with squid so I
can set up squidquard or dansguardian.

I think I've got everything set up and working.
Here's the output when I start squid.

Code:
bash-3.1# /usr/local/squid/sbin/squid -N -d 1 -D
2007/07/24 21:16:53| Starting Squid Cache version 2.6.STABLE14 for i686-pc-linux-gnu...
2007/07/24 21:16:53| Process ID 3199
2007/07/24 21:16:53| With 1024 file descriptors available
2007/07/24 21:16:53| Using epoll for the IO loop
2007/07/24 21:16:53| DNS Socket created at 0.0.0.0, port 32779, FD 5
2007/07/24 21:16:53| Adding domain hsd1.ms.comcast.net. from /etc/resolv.conf
2007/07/24 21:16:53| Adding nameserver 68.87.68.162 from /etc/resolv.conf
2007/07/24 21:16:53| Adding nameserver 68.87.74.162 from /etc/resolv.conf
2007/07/24 21:16:53| Unlinkd pipe opened on FD 10
2007/07/24 21:16:53| Swap maxSize 102400 KB, estimated 7876 objects
2007/07/24 21:16:53| Target number of buckets: 393
2007/07/24 21:16:53| Using 8192 Store buckets
2007/07/24 21:16:53| Max Mem  size: 8192 KB
2007/07/24 21:16:53| Max Swap size: 102400 KB
2007/07/24 21:16:53| Rebuilding storage in /usr/local/squid/var/cache (CLEAN)
2007/07/24 21:16:53| Using Least Load store dir selection
2007/07/24 21:16:53| Set Current Directory to /usr/local/squid/var/cache
2007/07/24 21:16:53| Loaded Icons.
2007/07/24 21:16:53| Accepting transparently proxied HTTP connections at 127.0.0.1, port 3128, FD 12.
2007/07/24 21:16:53| Accepting ICP messages at 0.0.0.0, port 3130, FD 13.
2007/07/24 21:16:53| WCCP Disabled.
2007/07/24 21:16:53| Ready to serve requests.
2007/07/24 21:16:53| Done reading /usr/local/squid/var/cache swaplog (0 entries)
2007/07/24 21:16:53| Finished rebuilding storage from disk.
2007/07/24 21:16:53|         0 Entries scanned
2007/07/24 21:16:53|         0 Invalid entries.
2007/07/24 21:16:53|         0 With invalid flags.
2007/07/24 21:16:53|         0 Objects loaded.
2007/07/24 21:16:53|         0 Objects expired.
2007/07/24 21:16:53|         0 Objects cancelled.
2007/07/24 21:16:53|         0 Duplicate URLs purged.
2007/07/24 21:16:53|         0 Swapfile clashes avoided.
2007/07/24 21:16:53|   Took 0.3 seconds (   0.0 objects/sec).
2007/07/24 21:16:53| Beginning Validation Procedure
2007/07/24 21:16:53|   Completed Validation Procedure
2007/07/24 21:16:53|   Validated 0 Entries
2007/07/24 21:16:53|   store_swap_size = 0k
2007/07/24 21:16:54| storeLateRelease: released 0 objects
Here's my squid.conf

Code:
bash-3.1# cat squid.conf
http_port 127.0.0.1:3128 transparent
visible_hostname xxxx.xxxxx # x = correct host/domain
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_dir ufs /usr/local/squid/var/cache 100 16 256
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl allowed_hosts src 192.168.1.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager all
http_access allow allowed_hosts
http_access deny all
#http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow allowed_hosts
icp_access deny all
cache_effective_user squid
cache_effective_group squid
coredump_dir /usr/local/squid/var/cache
bash-3.1#

Now, when I try using the squidclient and check my access.log I get this.
Code:
1185329877.589      0 127.0.0.1 TCP_DENIED/403 1392 GET http://squid.nlanr.net/ 
- NONE/- text/html
I've tried my best to do this without posting but I can't find my problem. My system is a cable-modem > linksys router > one wired pc ( squids on it ) & one wireless pc.

Thanks to anyone who doesn't mind helping a newbie out.

Last edited by davimint; 07-25-2007 at 06:22 AM.
 
Old 07-25-2007, 04:33 AM   #2
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: OpenBSD, Slackware, XP
Posts: 347

Rep: Reputation: 31
Just to share relevant portion of my squid (same version) running in OpenBSD:

Code:
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 445         # windows update
acl CONNECT method CONNECT
Code:
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
Code:
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl local_net src 192.168.1.0/24
http_access allow local_net
http_access allow localhost
I noticed that you denied access to Safe_ports.

Quote:
#http_access deny !Safe_ports
--------------
 
Old 07-25-2007, 06:52 AM   #3
davimint
Member
 
Registered: Jan 2006
Distribution: Slackware Current
Posts: 272

Original Poster
Rep: Reputation: 33
thanks gani

You post helped me out, I've got the squidclient
working now by adding the following.

Code:
acl local_net src 192.168.1.0/24
http_access allow local_net
http_access allow localhost
The deny safe port issues is not fixed, I'll have to
work on that and try to understand it.

I guess the next step is to set up a client so
the web gets directed to firefox so the logs will
cache it. I'm still trying to understand squid.

But I've made some progress.
 
Old 07-25-2007, 09:24 PM   #4
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: OpenBSD, Slackware, XP
Posts: 347

Rep: Reputation: 31
Quote:
The deny safe port issues is not fixed, I'll have to
work on that and try to understand it.
These are ports on the internet that squid allows access to and thus it was defined within the series of acl Safe_ports port# declarations. Ports not defined here would not be accessed and thus you would see in your access.log TCP/DENIED.

Then finally below it, an http_access was defined to give access to these acl's as what you have done with your acl local_net. The http_access deny !Safe_ports is the same as http_access allow Safe_ports. We know that the negation character (!) tells its opposite.

You may go to the squid-cache.org WiKi for more.

----------
 
Old 07-26-2007, 10:13 PM   #5
davimint
Member
 
Registered: Jan 2006
Distribution: Slackware Current
Posts: 272

Original Poster
Rep: Reputation: 33
thanks "again" gani
I got the !Safe_ports working without errors.

I also have got dansguardian working on the server PC.

I Have not been able to figure out how to get the other PC
to work so it will cache or filter the web. It's a windows
wireless machine using a linksys router. If you have any idea's
please advise on this. I played with the connection settings
in windows thinking I needed to set the proxy to the servers
address and port but that didn't work at all.. I tried using the
loopback address with port 3128 and it failed... So I really don't
know if it's going to be a iptables rule or squid acl that needs
to be tweaked.

But anyway, It's nice to know I can set up the linux machine for
for the kids to use again. I just wasn't happy with them having
free unrestricted access.

thanks again for you help.
 
Old 07-28-2007, 02:11 AM   #6
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: OpenBSD, Slackware, XP
Posts: 347

Rep: Reputation: 31
This is how you would connect your WAP router.

Code:
LAN SWITCH -----------[WAN port]     WAP router      ))))))) ((((((( DHCP clients
192.168.1.0/24        192.168.1.?    192.168.2.0/24
Then all your WAP clients would pass through your transparent proxy via the WAN port of your WAP through its 192.168.1.? IP address and it is this IP would be registered browsing in your Dansguradian's logs.

-----------
 
Old 07-28-2007, 08:27 AM   #7
davimint
Member
 
Registered: Jan 2006
Distribution: Slackware Current
Posts: 272

Original Poster
Rep: Reputation: 33
Sorry,
But I'm not sure what you meant by "LAN SWITCH".
I think I've got everything hooked up wrong. I was
already concerned about that and started a new post
after this one. Have a look.

http://www.linuxquestions.org/questi...d.php?t=572580

You have been so helpful on this maybe you can explain.

thanks

Last edited by davimint; 07-28-2007 at 08:42 AM.
 
Old 07-28-2007, 09:45 AM   #8
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
I believe he means the switch built into your SOHO LinkSys "router".
 
Old 07-29-2007, 09:54 PM   #9
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: OpenBSD, Slackware, XP
Posts: 347

Rep: Reputation: 31
I'm redrawing my diagram:

Code:
[Local Network]  [Linksys WAP Router]  [WI-FI clients]
192.168.1.0/24             

Hub/Switch ------> WAP WAN port [192.168.1.?]
    |              WAP LAN ports )))((( wi-fi clients 
    |              [192.168.2.0/24]     [192.168.2.?]
    |
    |
    |------------> Wired clients
Sorry, I thought that you have separate switch/hub for your wired PC and Linksys is only for wireless clients.

If your Linksys WAP router is at the same time serving as your LAN switch, connect its WAN port to the internal NIC of your Slackware router and provide it with an IP range/block different from its LAN ports as I've shown here and as usual, you would need to activate its NAT. This would appear that your Linksys is your secondary gateway/router.

----------
 
Old 07-30-2007, 09:05 AM   #10
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
davimint,
Is this the same LAN being discussed here:
http://www.linuxquestions.org/questi...d.php?t=572580
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
so many tcp_denied in Squid access log dev_dks Linux - Networking 2 09-17-2008 05:19 AM
Squid:: Tcp_denied::torrent slack_baby Linux - Software 1 04-19-2007 05:03 AM
Squid WPAD proxy getting TCP_DENIED/400 Invalid-request HiOctane21 Linux - Networking 0 02-07-2007 12:49 PM
Tcp_denied resulting slow squid dev_dks Linux - Software 1 08-16-2006 01:06 PM
how to get squid to stop logging TCP_DENIED entries PirateJack Linux - Software 0 03-15-2006 09:10 AM


All times are GMT -5. The time now is 01:12 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration