Re: [squid-users] 4.0.21 Ssl bump access denied

Sun, 12 Nov 2017 20:05:34 -0800 

On 13/11/17 01:25, snable snable wrote:

Access.log brings for www.heise.de on https

NECT 192.168.1.222:443 <http://192.168.1.222:443> - HIER_NONE/- -
1510489280.731      2 192.168.1.200 NONE/200 0 CO
NNECT 192.168.1.222:443 <http://192.168.1.222:443> - HIER_NONE/- -
1510489280.836      1 192.168.1.200 TCP_MISS/503
4691 GET https://www.heise.de/ - ORIGINAL_DST/192
.168.1.222 text/html
ORIGINAL_DST is the server IP your system NAT tables say the client is connecting to.
So the above means the NAT system is intercepting the client at 192.168.1.200 connecting to the webserver at 192.168.1.222:443. 




Am 12.11.2017 12:46 schrieb "snable snable" wrote:

        hey

        thanks:

        i post in detail

        i have an openwrt box. clients are attached there to the
        192.168.2.0/24 <http://192.168.2.0/24> network via nat. i
        attached the router as a wan device on my 192.168.1.0/24
        <http://192.168.1.0/24> with 192.168.1.254 as my internet gateway.

        i have a squidbox  with squid 4 running on ports 3128 and 3129
        and 3130.
          i forward the traffic from the openwrt via:

        iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
          --dport 80 -s 192.168.1.222
        iptables -t mangle -A PREROUTING -j MARK --set-ma
        rk 3 -p tcp --dport 80
        iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
          --dport 443 -s 192.168.1.222
        iptables -t mangle -A PREROUTING -j MARK --set-ma
        rk 3 -p tcp --dport 443
        ip rule add fwmark 3 table 2
        ip route add default via 192.168.1.222 dev eth0.2
          table 2

        on the squid box redirected it via

        iptables -A PREROUTING -t nat -i eth0 -p tcp --dp
        ort 443 -j REDIRECT --to-port 3129
        iptables -A PREROUTING -t nat -i eth0 -p tcp --dp
        ort 80 -j REDIRECT --to-port 3128
There are no rules above preventing the NAT system intercepting the Squid outbound traffic.
Please see the iptables rules documented at: <https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>.
-j ACCEPT in the *mangle* table only means iptables does not do your MARKing. It has no effect on these NAT table operations. 

Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to