Hi
I got it half working My chat is working I can search google, but I cant
browse websites ,
My configuration now
acl mynet src 116.72.152.37 192.168.0.0/16 # RFC1918 possible internal
network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow mynet
http_access allow localhost
http_access allow all
http_port 3129
http_port 3128 intercept
cache_dir ufs /usr/local/cache 10000 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200
refresh_pattern . 0 20% 4320
Iptables:
root@squid:/home/squid# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 77928 packets, 4272K bytes)
pkts bytes target prot opt in out source
destination
290 17312 DNAT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 to:192.168.0.200:3128
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain INPUT (policy ACCEPT 75943 packets, 4074K bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
847 56477 MASQUERADE all -- * eth0 192.168.0.0/24
0.0.0.0/0
On Thu, Jun 4, 2015 at 12:13 PM, Reet Vyas <reet.vya...@gmail.com> wrote:
> Hi,
>
> I changed the iptables still no luck :( but I am using squid 3.3 only can
> I didn't understand why you have configured 3129 ,3130 and 3128 port?
>
> On Wed, Jun 3, 2015 at 1:04 PM, Klavs Klavsen <k...@vsen.dk> wrote:
>
>> Your client needs to use your squid server as default gateway.
>>
>> And then you need the iptables rules I wrote about to direct traffic into
>> squid for certain ports.
>>
>> Reet Vyas wrote on 06/03/2015 08:50 AM:
>>
>>> Hi
>>>
>>> Thanks for reply. As of now we don't have router I have directly
>>> connected my machine to internet and other to LAN and I have configured
>>> client machine ubuntu to test squid which is in switch where other users
>>> are connected using gateway of router 192.168.0.1.
>>>
>>> I read your valuable suggestions, but I still confused with IPtables and
>>> squid 3.3 setting ,transparent and intercept options .
>>>
>>> root@squid:/home/squid# ip addr show
>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
>>> group default
>>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>> inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo
>>> valid_lft forever preferred_lft forever
>>> inet6 ::1/128 scope host
>>> valid_lft forever preferred_lft forever
>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>>> state UP group default qlen 1000
>>> link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff
>>> inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0
>>> valid_lft forever preferred_lft forever
>>> inet6 fe80::21e:67ff:fecf:5974/64 scope link
>>> valid_lft forever preferred_lft forever
>>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>>> state UP group default qlen 1000
>>> link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff
>>> inet 192.168.0.200/24 <http://192.168.0.200/24> brd 192.168.0.255
>>> scope global eth1
>>> valid_lft forever preferred_lft forever
>>> inet6 fe80::21e:67ff:fecf:5975/64 scope link
>>> valid_lft forever preferred_lft forever
>>>
>>> root@squid:/home/squid# ip -4 route show
>>> default via 116.72.152.1 dev eth0
>>> 116.72.152.0/22 <http://116.72.152.0/22> dev eth0 proto kernel scope
>>> link src 116.72.152.37
>>> 192.168.0.0/24 <http://192.168.0.0/24> dev eth1 proto kernel scope
>>> link src 192.168.0.200
>>>
>>>
>>>
>>>
>>>
>>> To use transparent/intercept what I have to set in my config file
>>> http_port 3128 intercept or transparent
>>>
>>> and Iptables rules , I have tried this rules
>>>
>>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>>>
>>> But not working
>>>
>>> Can you please tell me the firewall rules and let me know why my
>>> firewall rules are not working.
>>>
>>> On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen <k...@vsen.dk
>>> <mailto:k...@vsen.dk>> wrote:
>>>
>>> Amos Jeffries wrote on 06/02/2015 04:34 PM:
>>>
>>> On 3/06/2015 1:20 a.m., Klavs Klavsen wrote:
>>>
>>> I have this in my squid server for it to work:
>>>
>>>
>>> The key words there are ... *in my Squid server*
>>>
>>> indeed :)
>>>
>>>
>>> NOTE to Klavs:
>>> loading the "multiport" kernel module seems overkill for a
>>> single-port
>>> match.
>>>
>>> it's puppets firewall module.. haven't had enough time to fix that
>>> module :)
>>>
>>>
>>> FYI: DONT_VERIFY_PEER, "always_direct allow all", and
>>> "slproxy_cert_error allow all" have not been good ideas since
>>> 3.2.
>>> dont-verify actually inhibits the Mimic functions which give
>>> server-first bumping most of its usefulness.
>>>
>>> Thank you for those tips.
>>>
>>> --
>>> Regards,
>>> Klavs Klavsen, GSEC - k...@vsen.dk <mailto:k...@vsen.dk> -
>>> http://www.vsen.dk - Tlf. 61281200
>>>
>>> "Those who do not understand Unix are condemned to reinvent it,
>>> poorly."
>>> --Henry Spencer
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> <mailto:squid-users@lists.squid-cache.org>
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>
>> --
>> Regards,
>> Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200
>>
>> "Those who do not understand Unix are condemned to reinvent it, poorly."
>> --Henry Spencer
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
