Squid server internet access problem

ashishkhandelwal · 02-20-2010, 05:17 AM

I have configured squid server and it is working fine.I want that only specific ip addresses in my LAN should be able to access internet and for that i have given these entries in access control lists in squid.conf file:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
acl our_networks src 192.168.0.181/255.255.255.0 192.168.0.182/255.255.255.0

and in http access i have given this

http_access allow our_networks
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

In this i want that only 192.168.0.181 and .182 should be able to access internet but Now the problem is that all the IPs in the LAN like 192.168.0.20 are also able to access internet.What changes i need to do to allow access to specific IP addresses.I am not using any firewall or iptables entries and i am manually changing in the firefox at client side to access internet.

devwatchdog · 02-20-2010, 05:49 AM

I'm guessing when you define:

acl our_networks src 192.168.0.181/255.255.255.0 192.168.0.182/255.255.255.0

squid is interpreting 192.168.0.181/255.255.255.0 as a network, because that is what this definition is.

Code:

jcwx@haley:~$ ipcalc 192.168.0.181/255.255.255.0
Address:   192.168.0.181        11000000.10101000.00000000. 10110101
Netmask:   255.255.255.0 = 24   11111111.11111111.11111111. 00000000
Wildcard:  0.0.0.255            00000000.00000000.00000000. 11111111
=>
Network:   192.168.0.0/24       11000000.10101000.00000000. 00000000
HostMin:   192.168.0.1          11000000.10101000.00000000. 00000001
HostMax:   192.168.0.254        11000000.10101000.00000000. 11111110
Broadcast: 192.168.0.255        11000000.10101000.00000000. 11111111
Hosts/Net: 254                   Class C, Private Internet

If it were only one host, 192.168.0.181/255.255.255.255 would define it as such.

Drop the netmask for single host definitions and see if that works. I haven't worked on squid in a few years, but as I recall, you don't need a netmask for single hosts.

acl our_networks src 192.168.0.181 192.168.0.182

ashishkhandelwal · 02-20-2010, 07:38 AM

Thanks a lot...It worked for me.Now i will be very much grateful if any one can tell me how to use squid server with iptables.Right now i have to manually configure web browser at each client side to use squid as proxy server but i want that i dont have to change anything in client's web browser and it should automatically start.I think it can be done by using iptables but i dont know how to do it.

HasC · 02-20-2010, 08:13 AM

Quote:

Originally Posted by ashishkhandelwal

Thanks a lot...It worked for me.Now i will be very much grateful if any one can tell me how to use squid server with iptables.Right now i have to manually configure web browser at each client side to use squid as proxy server but i want that i dont have to change anything in client's web browser and it should automatically start.I think it can be done by using iptables but i dont know how to do it.

That's Transparent proxying, which you can achieve with iptables and port forwarding. Google on that, there are a lot of docs about it.