LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-28-2016, 05:15 PM   #1
marwanq
LQ Newbie
 
Registered: Aug 2016
Posts: 1

Rep: Reputation: Disabled
Question openvpn client traffic is not getting filtered by squid transparent proxy


hey! guys please me out!

This is my set up.. my openvpn client traffic goes to openvpn server and after that i want the traffic to be forwarded to squid proxy so that it can be filtered.
now i am trying to block pakhweels.com but it is not working.
my web_deny file has .pakwheels.com written in it.

i am able to forward my openvpn client traffic to squid server since it is visible in access.log but when i apply acl to block a website i have no success. When i remove the word 'transparent' from the config file it shows the error of invalid url on the client's browser which shows that the traffic goes to proxy server but as soon as i retype 'transparent' webpages do open even if they are blocked through squid proxy.Kindly help!.

openvpn client has 10.8.0.10
openvpn server has 10.8.0.1
tun0 is the openvpn interface

Code:
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet1 src 192.168.0.0/16    # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
acl allow_network src 10.8.0.0/24 
acl web_deny dstdomain "/etc/squid3/web_deny"





http_access allow all

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager



http_access allow localnet
http_access allow localnet1


http_access deny web_deny
http_access allow allow_network

http_access deny all











http_port 3128 transparent



coredump_dir /var/spool/squid3



refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .        0    20%    4320


visible_hostname softfw
access.log
Code:
1472059179.770   2367 10.8.0.10 TCP_MISS/200 9531 GET http://cache4.pakwheels.com/ad_pictures/1253/Slide_toyota-aqua-s-15-2014-12533323.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059179.914   2503 10.8.0.10 TCP_MISS/200 16493 GET http://cache1.pakwheels.com/ad_pictures/1230/Slide_toyota-prado-2012-12301020.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059179.940   2527 10.8.0.10 TCP_MISS/200 6812 GET http://cache3.pakwheels.com/ad_pictures/1208/Slide_nissan-dayz-highway-star-2013-12085892.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059180.220   2809 10.8.0.10 TCP_MISS/200 13158 GET http://cache4.pakwheels.com/ad_pictures/1268/Slide_toyota-prado-tx-4-2012-12680738.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059180.322   2906 10.8.0.10 TCP_MISS/200 11421 GET http://cache3.pakwheels.com/ad_pictures/1152/Slide_honda-grace-2-2014-11528339.jpeg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059180.326   2915 10.8.0.10 TCP_MISS/200 27998 GET http://cache3.pakwheels.com/ad_pictures/1225/Slide_honda-any-model-139-2015-12257604.jpeg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059180.622   3205 10.8.0.10 TCP_MISS/200 12441 GET http://cache1.pakwheels.com/ad_pictures/1245/Slide_toyota-corolla-1-6-gli-automatic-2011-12454041.57367 - HIER_DIRECT/148.251.245.44 binary/octet-stream
1472059180.964   1335 10.8.0.10 TCP_MISS/200 9145 GET http://cache3.pakwheels.com/ad_pictures/1254/Slide_daihatsu-move-custom-g-2016-12547503.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059181.216   1440 10.8.0.10 TCP_MISS/200 8018 GET http://cache4.pakwheels.com/ad_pictures/1190/Slide_toyota-aqua-l-16-2013-11904158.jpeg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059181.436   1201 10.8.0.10 TCP_MISS/200 20259 GET http://cache2.pakwheels.com/ad_pictures/1233/Slide_toyota-prado-tx-4-2011-12336372.jpeg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059181.456    826 10.8.0.10 TCP_MISS/200 9769 GET http://cache2.pakwheels.com/ad_pictures/1253/Slide_mercedes-benz-250d-2010-12535535.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059181.558   4153 10.8.0.10 TCP_MISS/200 8831 GET http://cache2.pakwheels.com/ad_pictures/1221/Slide_honda-fit-hybrid-base-grade-1-3-2012-12212828.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059181.823    854 10.8.0.10 TCP_MISS/200 11330 GET http://cache3.pakwheels.com/ad_pictures/1239/Slide_honda-airwave-m-s-package-2007-12395592.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059181.966   1614 10.8.0.10 TCP_MISS/200 15984 GET http://cache2.pakwheels.com/ad_pictures/1267/Slide_daihatsu-move-2013-12674441.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059182.506   1065 10.8.0.10 TCP_MISS/200 22880 GET http://cache2.pakwheels.com/ad_pictures/1097/Slide_mercedes-benz-cls-cls-500-2005-10979643.JPG - HIER_DIRECT/148.251.245.44 image/jpeg
1472059182.632    656 10.8.0.10 TCP_MISS/200 9952 GET http://cache3.pakwheels.com/ad_pictures/1261/Slide_daihatsu-mira-x-limited-3-2013-12612805.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059183.377  17945 10.8.0.10 TCP_MISS/200 1245 GET http://track.adform.net/adfscript/? - HIER_DIRECT/37.157.2.25 text/javascript
1472059183.774    364 10.8.0.10 TCP_MISS/200 11574 GET http://s2.adform.net/stoat/582/s2.adform.net/bootstrap.js - HIER_DIRECT/23.50.172.234 text/javascript
1472059184.174    369 10.8.0.10 TCP_MISS/200 2435 GET http://track.adform.net/adfserve/? - HIER_DIRECT/37.157.2.25 text/javascript
1472059184.232   1590 10.8.0.10 TCP_MISS/200 24142 GET http://cache4.pakwheels.com/ad_pictures/1096/Slide_porsche-911-911-carrera-2005-10966363.JPG - HIER_DIRECT/148.251.245.44 image/jpeg
1472059186.392  20961 10.8.0.10 TCP_MISS/200 1213 GET http://track.adform.net/adfscript/? - HIER_DIRECT/37.157.2.25 text/javascript
1472059186.616   6694 10.8.0.10 TCP_MISS/200 6383 GET http://cache2.pakwheels.com/ad_pictures/1217/Slide_toyota-prius-l-1-8-2011-12175466.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059186.942   5106 10.8.0.10 TCP_MISS/200 34094 GET http://cache1.pakwheels.com/ad_pictures/1230/Slide_bmw-3-series-320i-2003-12309555.JPG - HIER_DIRECT/148.251.245.44 image/jpeg
1472059186.949   7002 10.8.0.10 TCP_MISS/200 8040 GET http://cache1.pakwheels.com/ad_pictures/1237/Slide_suzuki-wagon-r-stingray-x-14-2012-12373812.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059186.973    350 10.8.0.10 TCP_MISS/200 37440 GET http://s2.adform.net/stoat/582/s2.adform.net/load/v/0.0.94/e/jQSBgg/i/8IP4AAAAIAA/r:AdConstructor:contents/HTML:types/Standard - HIER_DIRECT/23.50.172.234 text/javascript
1472059186.994   6659 10.8.0.10 TCP_MISS/200 7924 GET http://cache1.pakwheels.com/ad_pictures/1266/Slide_toyota-aqua-g-37-2013-12663340.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059187.256    194 10.8.0.10 TCP_MISS/200 25209 GET http://s2.adform.net/Banners/Elements/Files/45923/1246695/1246695.js? - HIER_DIRECT/23.50.172.234 application/x-javascript
1472059187.425  10012 10.8.0.10 TCP_MISS/200 7571 GET http://cache4.pakwheels.com/ad_pictures/1254/Slide_mercedes-benz-e-class-e-200-2014-12542542.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059187.611   6043 10.8.0.10 TCP_MISS/200 12450 GET http://cache3.pakwheels.com/ad_pictures/1219/Slide_toyota-land-cruiser-zx-2012-12191083.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059187.827   6365 10.8.0.10 TCP_MISS/200 21370 GET http://cache4.pakwheels.com/ad_pictures/1066/Slide_mercedes-benz-slk-slk200-kompressor-2006-10666278.JPG - HIER_DIRECT/148.251.245.44 image/jpeg
1472059187.913    913 10.8.0.10 TCP_MISS/200 20773 GET http://cache2.pakwheels.com/ad_pictures/1270/Slide_toyota-corolla-gli-2-2013-12702917.jpeg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059187.936    988 10.8.0.10 TCP_MISS/200 11277 GET http://cache1.pakwheels.com/ad_pictures/1228/Slide_honda-civic-vti-1-8-i-vtec-2013-12284020.jpg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059187.953    974 10.8.0.10 TCP_MISS/200 12221 GET http://cache3.pakwheels.com/ad_pictures/1021/Slide_toyota-vitz-1-0-f-2012-10215871.jpeg - HIER_DIRECT/148.251.245.44 image/jpeg
1472059189.043   2621 10.8.0.10 TCP_MISS/200 2389 GET http://track.adform.net/adfserve/? - HIER_DIRECT/37.157.2.25 text/javascript

i have followed several threads including this one http://www.linuxquestions.org/questi...pn-4175511172/ but it doesnt seem to work.

i am using these iptable rules:

Code:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE (forwards openvpn client traffic from tun0 to eth0 so that internet can be used
iptables -t nat -A PREROUTING -p tcp --dport 80 -i tun0 -j DNAT --to 192.168.1.4:3128
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
 
Old 08-29-2016, 10:14 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,804

Rep: Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002Reputation: 8002
Quote:
Originally Posted by marwanq View Post
hey! guys please me out!
This is my set up.. my openvpn client traffic goes to openvpn server and after that i want the traffic to be forwarded to squid proxy so that it can be filtered.
now i am trying to block pakhweels.com but it is not working. my web_deny file has .pakwheels.com written in it.

i am able to forward my openvpn client traffic to squid server since it is visible in access.log but when i apply acl to block a website i have no success. When i remove the word 'transparent' from the config file it shows the error of invalid url on the client's browser which shows that the traffic goes to proxy server but as soon as i retype 'transparent' webpages do open even if they are blocked through squid proxy.Kindly help!.

openvpn client has 10.8.0.10
openvpn server has 10.8.0.1
tun0 is the openvpn interface
This has nothing to do with squid. Squid is an HTTP proxy, nothing more...what you're trying to do is enable what's called a "full tunnel" through your VPN, causing anyone attached to the VPN server to use the same path to the Internet as everyone else, which would also include the same blocking rules, etc. It's most common to do a 'split tunnel', meaning that anyone attached over the Internet will get non-VPN sites (things NOT on your internal LAN), directly over the Internet, and only shoving traffic destined for your local LAN down the VPN adapter. Put this option in your openvpn config:
Code:
redirect-gateway def1
..and restart openvpn.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN Access Server Route All Traffic Through Local Squid Proxy? squidvpn Linux - Networking 1 05-18-2016 05:15 PM
Directing OpenVPN client's traffic through the OpenVPN server mohtasham1983 Linux - Networking 1 01-17-2012 06:44 PM
Forwarding all traffic to the proxy to another proxy (transparent proxy/redirection) lakshithaww Linux - Networking 1 10-28-2009 12:54 AM
Squid as a transparent proxy kemplej Linux - Software 2 12-08-2004 05:00 PM
Squid with Transparent Proxy MarleyGPN Linux - Networking 1 08-28-2003 02:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration