Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


Closed Thread
  Search this Thread
Old 08-11-2009, 02:30 AM   #1
LQ Newbie
Registered: Aug 2009
Posts: 6

Rep: Reputation: 0
squid question


I believe i asked this question before but the replies led to somewhere else without really resolving the problem. So i need to ask the question again.
I have configured squid proxy IP on my internet explorer browser connection settings; port 3128. I have setup squid to deny all. I have also configured iptables to accept port 3128,443,80. Upon testing, i can see that it is working. But if i type for example, it goes through. The thing is, it was working before. I think someone did some config changes on squid.conf and iptables that messed things up. I checked iptables:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
-A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128


-A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -j ACCEPT

squid.conf has
http_port 80
http_port 3128
http_port 443

Please help. Again, it was working before.
Old 08-11-2009, 12:03 PM   #2
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Squid only needs to listen on one port (the default 3128 is just fine for most people). I don't know why you're making it listen on ports 80 and 443 too, since that isn't needed. Your iptables rules for the INPUT chain only need to allow inbound connections to 3128/TCP. It's your OUTPUT rules which should allow outbound connections to ports 80, 443, etc.
Originally Posted by marcusaurelius View Post
-A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
This rule doesn't make sense if you are referring to HTTPS. The only way for Squid to be able to transparently proxy HTTPS is if you set it up to do a man-in-the-middle (MITM) attack. If you give it some serious thought and/or do some reading-up on how HTTPS works you'll understand why this is the case. That said, I'm closing this thread and I ask you to continue your discussion at the original location, where you've been getting good advice. Please don't open multiple threads for the same issue.

Last edited by win32sux; 08-11-2009 at 12:09 PM.

Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
question about squid adam_blackice Linux - Server 10 08-07-2007 02:48 AM
squid question bluesky2005 Linux - Software 6 04-09-2005 03:33 PM
Squid Question offaxis Linux - Networking 1 09-27-2004 08:46 PM
Squid Question offaxis Debian 1 09-27-2004 05:03 PM
Squid Question kemplej Linux - Networking 0 04-22-2004 05:28 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:41 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration