Hello again! Thank you for your support. I am a little bit frustrated
but I managed to test it again.
Long story short, I tried every combination from the suggested links to
no avail.
For the router I did the following as suggested:
( I tried using lan, br-lan, eth0, eth0.1 as the nic's name because it
is not obvious to me which one is the correct.)
################################################################
# permit Squid box out to the Internet
iptables -t mangle -A PREROUTING -p tcp --dport 80 -s 192.168.1.20 -j ACCEPT
# mark everything else on port 80 to be routed to the Squid box
iptables -t mangle -A PREROUTING -i lan -p tcp --dport 80 -j MARK
--set-mark 2
iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
# NP: Ensure that traffic from inside the network is allowed to loop
back inside again.
iptables -t filter -A FORWARD -i lan -o lan -p tcp --dport 80 -j ACCEPT
echo "201 proxy" >> /etc/iproute2/rt_tables
ip rule add fwmark 2 table proxy
ip route add default via 192.168.1.20 table proxy
#################################################################
For the squid server I did both of the following ( with a service
networking restart between them )
#################################################################
# your proxy IP
SQUIDIP=192.168.1.20
# your proxy listening port
SQUIDPORT=3128
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
$SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
#################################################################
And the next trial
#################################################################
# your proxy IP
SQUIDIP=192.168.1.20
# your proxy listening port
SQUIDPORT=3128
sudo iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
--to-destination $SQUIDIP:$SQUIDPORT
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 0
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
#################################################################
I kept getting connection refused ( no squid message) on the browser and
I had nothing in the access logs.
tcpdump on port 3128 showed nothing.
Thank you again!
Spyros
On 18/2/2014 10:30 μμ, Niki Gorchilov wrote:
> Second NIC is unnecessary.
>
> Better go the way Amos suggested - do a policy based routing on
> OpenWRT (http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute)
> and traffic interception on Linux
> (http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat or
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect).
>
> Best,
> Niki
>
> On Tue, Feb 18, 2014 at 9:22 PM, Spyros Vlachos <spyros86_at_gmail.com> wrote:
>> I checked out your suggestions but I keep getting the same error...
>> I will buy a second nic and make my setup simpler.
>> Thank you!
>>
>> On 18/2/2014 3:05 πμ, Spyros Vlachos wrote:
>>
>> Thank you very much! I'll try the things you suggested.
>>
>> Spyros Vlachos
>>
>>
>> On 18 Φεβ 2014, at 2:16 π.μ., Nikolai Gorchilov <niki_at_x3me.net> wrote:
>>
>> Hi Spyros,
>>
>> Seems you're experiencing request loops, that are unrelated to your ACLs
>>
>> Looking at the logs, we can clearly see pairs of requests for same
>> url. Like this:
>> 1392590890.301 0 192.168.1.20 TCP_MISS/403 4158 GET
>> http://www.tvxs.gr/ - HIER_NONE/- text/html
>> 1392590890.302 1 192.168.1.1 TCP_MISS/403 4263 GET
>> http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html
>>
>> As the logging happens at the end of transaction, records are ordered
>> by finish time, not start. They actually started in reverse order:
>> 1. First came the request from 192.168.1.1 for http://www.tvxs.gr/.
>> 2. As it was considered a MISS, your Squid decided to go directly to
>> the destination server (thus hierarchy code HIER_DIRECT)
>> 3. PROBLEM! PROBLEM! Surprisingly, Squid resolves www.tvxs.gr as
>> 192.168.1.20 and fires the request towards this IP!
>> 4. Boom! This is how the same request arrives again, this time from
>> source IP 192.168.1.20 (Squid itself). We have a loop!
>> 5. Squid detects the loop (something like "WARNING: Forwarding loop
>> detected" in cache.log) and generates internal error response like
>> HTTP/403 Forbidden, using ERR_ACCESS_DENIED or alike. Thus hierarchy
>> code is HIER_NONE.
>> 6. The error returns in the first instance of this request after 1ms,
>> and Squid returns it to the original caller (TCP_MISS/403).
>>
>> I don't have clear idea what is the root cause of the loop, but I'd do:
>> 1. make http_port 192.168.1.20:3128 intercept
>> 2. study carefully DNS settings of both Ubuntu and OpenWRT:
>> - /etc/resolv.conf
>> - iptables: DNS interceptions and redirections (UDP & TCP port 53)
>> - change with other public DNS services
>> - tcpdump as much as possible ;-)
>>
>> Hope this helps!
>>
>> Best,
>> Niki
>>
>> On Tue, Feb 18, 2014 at 12:05 AM, Spyros Vlachos <spyros86_at_gmail.com> wrote:
>> Hello! Sorry but I am new to this list and I don't know if I have sent
>> the mail correctly and iff anyone can see this. Is this the case?
>> Sorry and thank you!
>>
>> On Mon, Feb 17, 2014 at 2:24 PM, Spyros Vlachos <spyros86_at_gmail.com> wrote:
>> Hello! Thank you in advance for your help.
>> I have a fairly simple home network setup.
>> I have a modem (192.168.2.254) that connects to the internet.
>> Connected to that modem through its own wan port
>> I have an openwrt router (192.168.1.1). My internal network is the
>> 192.168.1.0/24 one. On the router I have connected
>> an ubuntu 13.10 box (192.168.1.20) that acts as a squid proxy and dns
>> among other things. The ubuntu box has one network card.
>> I had successfully installed a transparent squid proxy by using DNAT
>> and SNAT on the router using the 12.04 version of ubuntu.
>> Because of some problems with my ups I tried to install ubuntu 13.10
>> which solved the ups problem but also
>> upgraded the squid package to 3.3.8 from 3.1.something . My squid
>> configuration is as follows:
>>
>> #--Squid server
>> 192.168.1.20---------------------------------------------------
>> acl localnet src 192.168.1.0/24
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl squid-prime dstdomain "/etc/squid3/squid-prime.acl"
>> acl CONNECT method CONNECT
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access deny squid-prime
>> http_access allow localnet
>> http_access allow localhost
>> http_access deny all
>> http_port 3128 #HAVE tried transparent and intercept but the problem
>> persists
>> coredump_dir /var/spool/squid3
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
>> refresh_pattern . 0 20% 4320
>> dns_nameservers 8.8.8.8 #have tried to use the local dns 127.0.0.1 but
>> the same problem
>> #-------------------------------------------------------
>>
>> I have tried disabling the dns server of ubuntu because I have heard
>> of some problem it can cause to squid.
>>
>> My router (192.168.1.1) SNAT DNAT configuration is (openwrt luci gui)
>> 1) MATCH: From IP not 192.168.1.20 in lan Via any router IP at port 80
>> FORWARD TO: IP 192.168.1.20, port 3128 in lan
>> 2)MATCH: From any host in lan To IP 192.168.1.20, port 3128 in lan
>> Rewrite to source IP 192.168.1.1
>>
>> The error I get by using the above configurations is a constant Access
>> denied Error in the browser and in the
>> squid access log is
>> #---------------------------------------------------------------------
>> 92 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590851.593 1 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590856.653 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590856.653 1 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590861.742 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590861.742 1 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590866.878 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590866.878 26 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590871.903 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590871.903 1 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590876.893 0 192.168.1.20 TCP_MISS/403 3985 GET
>> http://notify7.dropbox.com/subscribe? - HIER_NONE/- text/html
>> 1392590876.893 1 192.168.1.1 TCP_MISS/403 4090 GET
>> http://notify7.dropbox.com/subscribe? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590876.992 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590876.993 1 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590878.600 0 192.168.1.20 TCP_MISS/403 4390 POST
>> http://safebrowsing.clients.google.com/safebrowsing/downloads? -
>> HIER_NONE/- text/html
>> 1392590878.601 26 192.168.1.1 TCP_MISS/403 4495 POST
>> http://safebrowsing.clients.google.com/safebrowsing/downloads? -
>> HIER_DIRECT/192.168.1.20 text/html
>> 1392590882.093 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590882.093 1 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590887.153 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590887.153 1 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590889.524 0 192.168.1.20 TCP_MISS/403 4158 GET
>> http://www.tvxs.gr/ - HIER_NONE/- text/html
>> 1392590889.525 79 192.168.1.1 TCP_MISS/403 4263 GET
>> http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html
>> 1392590890.301 0 192.168.1.20 TCP_MISS/403 4158 GET
>> http://www.tvxs.gr/ - HIER_NONE/- text/html
>> 1392590890.302 1 192.168.1.1 TCP_MISS/403 4263 GET
>> http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html
>> #----------------------------------------------------------------------------------------------------
>>
>>
>>
>> Thank you in advance!
>>
>>
>>
>> --
>> Spyros Vlachos.
>>
>>
>> --
>> Spyros Vlachos.
>>
>>
>> --
>> Spyros Vlachos
-- *Spyros Vlachos*Received on Wed Feb 19 2014 - 20:59:55 MST
This archive was generated by hypermail 2.2.0 : Thu Feb 20 2014 - 12:00:06 MST