squid transparent proxy (intercept) + router












0















there is already a configured transparent proxy squid-3.5.27, there is an EdgeOSEdgeRouter router



I want to make a circuit



all computers on the network -> router -> squid



squid - 109.0.0.110
router - 109.0.0.1
test Windows - 109.0.0.8



configuration squid.conf, version - squid-3.5.27



# You should use the same dns resolver on squid and all clients

dns_nameservers 127.0.0.1



# acls

acl localnet src 109.0.0.0/24        # RFC1918 possible internal network

acl localnet src 192.168.1.0/24 # RFC1918 possible internal network

acl localnet src 192.168.10.0/24        # RFC1918 possible internal network



acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT



acl blocked_http dstdomain "/etc/squid/blocked_sites.txt"



# http access

http_access deny !Safe_ports



http_access deny CONNECT !SSL_ports



http_access allow localhost manager

http_access deny manager



http_access deny blocked_http



http_access allow localnet

http_access allow localhost

http_access deny all



http_port 3128 intercept

https_port 3129 intercept  ssl-bump connection-auth=off cert=/etc/squid/squidCA.pem

http_port 3130



always_direct allow all

sslproxy_cert_error allow all

sslproxy_flags DONT_VERIFY_PEER



acl blocked ssl::server_name "/etc/squid/blocked_https.txt"

acl whitelist src "/etc/squid/whitelist_ip.txt"

ssl_bump splice whitelist

acl step1 at_step SslBump1

ssl_bump peek step1



ssl_bump terminate blocked

ssl_bump splice all



sslcrtd_program /opt/source/squid-3.5.27/src/ssl/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1



acl YOUTUBE ssl::server_name .googlevideo.com

delay_pools 1

delay_class 1 2

delay_parameters 1 -1/-1 5120/5120

delay_access 1 allow YOUTUBE



coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|?) 0     0%      0

refresh_pattern .               0       20%     4320

cache_dir aufs /var/spool/squid 20000 49 256

maximum_object_size 61440 KB

minimum_object_size 3 KB



cache_swap_low 90

cache_swap_high 95

maximum_object_size_in_memory 512 KB

memory_replacement_policy lru

logfile_rotate 4


try this doc



iptables -t nat -A PREROUTING -i eth0 ! -s 109.0.0.110 -p tcp --dport 80 -j DNAT --to 109.0.0.110:3128

iptables -t nat -A POSTROUTING -o eth0 -s 109.0.0.8/32 -d 109.0.0.110/32 -j SNAT --to 109.0.0.1

iptables -A FORWARD -s 109.0.0.8/32 -d 109.0.0.110/32 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT


prescribed iptables



I try to open a site on a test Windows (109.0.0.8) - access is denied, on Windows the gateway is 109.0.0.1, in the logs on squid



1546203601.533      0 109.0.0.110 TCP_MISS/403 4857 GET http://myip.ru/ - HIER_NONE/- text/html

1546203601.533      1 109.0.0.1 TCP_MISS/403 4977 GET http://myip.ru/ - ORIGINAL_DST/109.0.0.110 text/html


tcpdump squid server



11:00:57.141246 IP 109.0.0.8.54026 > myip.ru.http: Flags [F.], seq 1, ack 1, win 2087, length 0

11:00:57.141570 IP 109.0.0.8.54030 > myip.ru.http: Flags [S], seq 1736419147, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

11:00:57.141971 IP myip.ru.http > 109.0.0.8.54026: Flags [.], ack 2, win 58, length 0

11:00:57.142115 IP myip.ru.http > 109.0.0.8.54026: Flags [F.], seq 1, ack 2, win 58, length 0

11:00:57.142304 IP myip.ru.http > 109.0.0.8.54030: Flags [S.], seq 4065681746, ack 1736419148, win 29200, options [mss 1452,nop,nop,sackOK,nop,wscale 9], length 0

11:00:57.142363 IP 109.0.0.8.54026 > myip.ru.http: Flags [.], ack 2, win 2087, length 0

11:00:57.142505 IP 109.0.0.8.54030 > myip.ru.http: Flags [.], ack 1, win 260, length 0

11:00:57.144743 IP 109.0.0.8.54025 > myip.ru.http: Flags [P.], seq 2136:2856, ack 23054, win 2087, length 720: HTTP: GET / HTTP/1.1

11:00:57.146027 IP myip.ru.http > 109.0.0.8.54025: Flags [P.], seq 23054:23572, ack 2856, win 69, length 518: HTTP: HTTP/1.1 403 Forbidden


tell me what could be the problem, I will be grateful for any help?



Update



when you open a site on http by Windows, it is issued - 403, by https - an invalid certificate, the proxy server certificate is substituted in the browser, what am I doing wrong?



Update 2



when adding rules on a router



iptables -t nat -I PREROUTING -i eth0 -s 109.0.0.8 -p tcp --dport 80 -j DNAT --to 109.0.0.110:3128

iptables -t nat -I PREROUTING -i eth0 -s 109.0.0.8 -p tcp --dport 443 -j DNAT --to 109.0.0.110:3129

iptables -t nat -I POSTROUTING -o eth0 -s 109.0.0.8 -d 109.0.0.110 -j SNAT --to 109.0.0.1


proxy server rules



*nat

:PREROUTING ACCEPT [314:20555]

:INPUT ACCEPT [313:20511]

:OUTPUT ACCEPT [844:60999]

:POSTROUTING ACCEPT [2:130]

-A PREROUTING -s 109.0.0.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

-A PREROUTING -s 109.0.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

-A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A POSTROUTING -s 109.0.0.0/24 -j SNAT --to-source 109.0.0.110

-A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 109.0.0.110

-A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source 109.0.0.110

COMMIT

*filter

:INPUT ACCEPT [340:18626]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1809:273786]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -s 109.0.0.0/24 -j ACCEPT

-A INPUT -s 192.168.1.0/24 -j ACCEPT

-A INPUT -s 192.168.10.0/24 -j ACCEPT

-A INPUT -j LOG

-A INPUT -p tcp -m multiport --dports 3128:3130 -j DROP

-A FORWARD -s 109.0.0.0/24 -p udp -m multiport --dports 80,443 -j DROP

COMMIT


when you open a site on Windows on http, in cache.log



kid1| WARNING: Forwarding loop detected for:

GET / HTTP/1.1^M

Upgrade-Insecure-Requests: 1^M

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36^M

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8^M

Accept-Encoding: gzip, deflate^M

Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7^M

Via: 1.1 proxy.server (squid/3.5.27)^M

X-Forwarded-For: 109.0.0.1^M

Cache-Control: max-age=259200^M

Connection: keep-alive^M

Host: myip.ru^M

^M

kid1| WARNING: Forwarding loop detected for:

GET /favicon.ico HTTP/1.1^M

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36^M

Accept: image/webp,image/apng,image/*,*/*;q=0.8^M

Referer: http://myip.ru/^M

Accept-Encoding: gzip, deflate^M

Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7^M

Via: 1.1 proxy.server (squid/3.5.27)^M

X-Forwarded-For: 109.0.0.1^M

Cache-Control: max-age=259200^M

Connection: keep-alive^M

Host: myip.ru^M


in access.log



1546711344.892      0 109.0.0.110 TCP_MISS/403 4514 GET http://myip.ru/ - HIER_NONE/- text/html

1546711344.893      0 109.0.0.1 TCP_MISS/403 4634 GET http://myip.ru/ - ORIGINAL_DST/109.0.0.110 text/html

1546711344.913      0 109.0.0.110 TCP_MISS/403 4479 GET http://myip.ru/favicon.ico - HIER_NONE/- text/html

1546711344.913      0 109.0.0.1 TCP_MISS/403 4599 GET http://myip.ru/favicon.ico - ORIGINAL_DST/109.0.0.110 text/html



WARNING: Forwarding loop detected for




how to fix it, any help ?






proxy router transparent squid







share|improve this question

























  • if I prescribe a gateway on Windows - 109.0.0.110, then everything works without firewall rules, but you need to configure it to work through a router - 109.0.0.1

    – Garcia
    Jan 3 at 14:02
















0















there is already a configured transparent proxy squid-3.5.27, there is an EdgeOSEdgeRouter router



I want to make a circuit



all computers on the network -> router -> squid



squid - 109.0.0.110
router - 109.0.0.1
test Windows - 109.0.0.8



configuration squid.conf, version - squid-3.5.27



# You should use the same dns resolver on squid and all clients

dns_nameservers 127.0.0.1



# acls

acl localnet src 109.0.0.0/24        # RFC1918 possible internal network

acl localnet src 192.168.1.0/24 # RFC1918 possible internal network

acl localnet src 192.168.10.0/24        # RFC1918 possible internal network



acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT



acl blocked_http dstdomain "/etc/squid/blocked_sites.txt"



# http access

http_access deny !Safe_ports



http_access deny CONNECT !SSL_ports



http_access allow localhost manager

http_access deny manager



http_access deny blocked_http



http_access allow localnet

http_access allow localhost

http_access deny all



http_port 3128 intercept

https_port 3129 intercept  ssl-bump connection-auth=off cert=/etc/squid/squidCA.pem

http_port 3130



always_direct allow all

sslproxy_cert_error allow all

sslproxy_flags DONT_VERIFY_PEER



acl blocked ssl::server_name "/etc/squid/blocked_https.txt"

acl whitelist src "/etc/squid/whitelist_ip.txt"

ssl_bump splice whitelist

acl step1 at_step SslBump1

ssl_bump peek step1



ssl_bump terminate blocked

ssl_bump splice all



sslcrtd_program /opt/source/squid-3.5.27/src/ssl/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1



acl YOUTUBE ssl::server_name .googlevideo.com

delay_pools 1

delay_class 1 2

delay_parameters 1 -1/-1 5120/5120

delay_access 1 allow YOUTUBE



coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|?) 0     0%      0

refresh_pattern .               0       20%     4320

cache_dir aufs /var/spool/squid 20000 49 256

maximum_object_size 61440 KB

minimum_object_size 3 KB



cache_swap_low 90

cache_swap_high 95

maximum_object_size_in_memory 512 KB

memory_replacement_policy lru

logfile_rotate 4


try this doc



iptables -t nat -A PREROUTING -i eth0 ! -s 109.0.0.110 -p tcp --dport 80 -j DNAT --to 109.0.0.110:3128

iptables -t nat -A POSTROUTING -o eth0 -s 109.0.0.8/32 -d 109.0.0.110/32 -j SNAT --to 109.0.0.1

iptables -A FORWARD -s 109.0.0.8/32 -d 109.0.0.110/32 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT


prescribed iptables



I try to open a site on a test Windows (109.0.0.8) - access is denied, on Windows the gateway is 109.0.0.1, in the logs on squid



1546203601.533      0 109.0.0.110 TCP_MISS/403 4857 GET http://myip.ru/ - HIER_NONE/- text/html

1546203601.533      1 109.0.0.1 TCP_MISS/403 4977 GET http://myip.ru/ - ORIGINAL_DST/109.0.0.110 text/html


tcpdump squid server



11:00:57.141246 IP 109.0.0.8.54026 > myip.ru.http: Flags [F.], seq 1, ack 1, win 2087, length 0

11:00:57.141570 IP 109.0.0.8.54030 > myip.ru.http: Flags [S], seq 1736419147, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

11:00:57.141971 IP myip.ru.http > 109.0.0.8.54026: Flags [.], ack 2, win 58, length 0

11:00:57.142115 IP myip.ru.http > 109.0.0.8.54026: Flags [F.], seq 1, ack 2, win 58, length 0

11:00:57.142304 IP myip.ru.http > 109.0.0.8.54030: Flags [S.], seq 4065681746, ack 1736419148, win 29200, options [mss 1452,nop,nop,sackOK,nop,wscale 9], length 0

11:00:57.142363 IP 109.0.0.8.54026 > myip.ru.http: Flags [.], ack 2, win 2087, length 0

11:00:57.142505 IP 109.0.0.8.54030 > myip.ru.http: Flags [.], ack 1, win 260, length 0

11:00:57.144743 IP 109.0.0.8.54025 > myip.ru.http: Flags [P.], seq 2136:2856, ack 23054, win 2087, length 720: HTTP: GET / HTTP/1.1

11:00:57.146027 IP myip.ru.http > 109.0.0.8.54025: Flags [P.], seq 23054:23572, ack 2856, win 69, length 518: HTTP: HTTP/1.1 403 Forbidden


tell me what could be the problem, I will be grateful for any help?



Update



when you open a site on http by Windows, it is issued - 403, by https - an invalid certificate, the proxy server certificate is substituted in the browser, what am I doing wrong?



Update 2



when adding rules on a router



iptables -t nat -I PREROUTING -i eth0 -s 109.0.0.8 -p tcp --dport 80 -j DNAT --to 109.0.0.110:3128

iptables -t nat -I PREROUTING -i eth0 -s 109.0.0.8 -p tcp --dport 443 -j DNAT --to 109.0.0.110:3129

iptables -t nat -I POSTROUTING -o eth0 -s 109.0.0.8 -d 109.0.0.110 -j SNAT --to 109.0.0.1


proxy server rules



*nat

:PREROUTING ACCEPT [314:20555]

:INPUT ACCEPT [313:20511]

:OUTPUT ACCEPT [844:60999]

:POSTROUTING ACCEPT [2:130]

-A PREROUTING -s 109.0.0.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

-A PREROUTING -s 109.0.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

-A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A POSTROUTING -s 109.0.0.0/24 -j SNAT --to-source 109.0.0.110

-A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 109.0.0.110

-A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source 109.0.0.110

COMMIT

*filter

:INPUT ACCEPT [340:18626]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1809:273786]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -s 109.0.0.0/24 -j ACCEPT

-A INPUT -s 192.168.1.0/24 -j ACCEPT

-A INPUT -s 192.168.10.0/24 -j ACCEPT

-A INPUT -j LOG

-A INPUT -p tcp -m multiport --dports 3128:3130 -j DROP

-A FORWARD -s 109.0.0.0/24 -p udp -m multiport --dports 80,443 -j DROP

COMMIT


when you open a site on Windows on http, in cache.log



kid1| WARNING: Forwarding loop detected for:

GET / HTTP/1.1^M

Upgrade-Insecure-Requests: 1^M

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36^M

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8^M

Accept-Encoding: gzip, deflate^M

Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7^M

Via: 1.1 proxy.server (squid/3.5.27)^M

X-Forwarded-For: 109.0.0.1^M

Cache-Control: max-age=259200^M

Connection: keep-alive^M

Host: myip.ru^M

^M

kid1| WARNING: Forwarding loop detected for:

GET /favicon.ico HTTP/1.1^M

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36^M

Accept: image/webp,image/apng,image/*,*/*;q=0.8^M

Referer: http://myip.ru/^M

Accept-Encoding: gzip, deflate^M

Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7^M

Via: 1.1 proxy.server (squid/3.5.27)^M

X-Forwarded-For: 109.0.0.1^M

Cache-Control: max-age=259200^M

Connection: keep-alive^M

Host: myip.ru^M


in access.log



1546711344.892      0 109.0.0.110 TCP_MISS/403 4514 GET http://myip.ru/ - HIER_NONE/- text/html

1546711344.893      0 109.0.0.1 TCP_MISS/403 4634 GET http://myip.ru/ - ORIGINAL_DST/109.0.0.110 text/html

1546711344.913      0 109.0.0.110 TCP_MISS/403 4479 GET http://myip.ru/favicon.ico - HIER_NONE/- text/html

1546711344.913      0 109.0.0.1 TCP_MISS/403 4599 GET http://myip.ru/favicon.ico - ORIGINAL_DST/109.0.0.110 text/html



WARNING: Forwarding loop detected for




how to fix it, any help ?






proxy router transparent squid







share|improve this question

























  • if I prescribe a gateway on Windows - 109.0.0.110, then everything works without firewall rules, but you need to configure it to work through a router - 109.0.0.1

    – Garcia
    Jan 3 at 14:02














0












0








0








there is already a configured transparent proxy squid-3.5.27, there is an EdgeOSEdgeRouter router



I want to make a circuit



all computers on the network -> router -> squid



squid - 109.0.0.110
router - 109.0.0.1
test Windows - 109.0.0.8



configuration squid.conf, version - squid-3.5.27



# You should use the same dns resolver on squid and all clients

dns_nameservers 127.0.0.1



# acls

acl localnet src 109.0.0.0/24        # RFC1918 possible internal network

acl localnet src 192.168.1.0/24 # RFC1918 possible internal network

acl localnet src 192.168.10.0/24        # RFC1918 possible internal network



acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT



acl blocked_http dstdomain "/etc/squid/blocked_sites.txt"



# http access

http_access deny !Safe_ports



http_access deny CONNECT !SSL_ports



http_access allow localhost manager

http_access deny manager



http_access deny blocked_http



http_access allow localnet

http_access allow localhost

http_access deny all



http_port 3128 intercept

https_port 3129 intercept  ssl-bump connection-auth=off cert=/etc/squid/squidCA.pem

http_port 3130



always_direct allow all

sslproxy_cert_error allow all

sslproxy_flags DONT_VERIFY_PEER



acl blocked ssl::server_name "/etc/squid/blocked_https.txt"

acl whitelist src "/etc/squid/whitelist_ip.txt"

ssl_bump splice whitelist

acl step1 at_step SslBump1

ssl_bump peek step1



ssl_bump terminate blocked

ssl_bump splice all



sslcrtd_program /opt/source/squid-3.5.27/src/ssl/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1



acl YOUTUBE ssl::server_name .googlevideo.com

delay_pools 1

delay_class 1 2

delay_parameters 1 -1/-1 5120/5120

delay_access 1 allow YOUTUBE



coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|?) 0     0%      0

refresh_pattern .               0       20%     4320

cache_dir aufs /var/spool/squid 20000 49 256

maximum_object_size 61440 KB

minimum_object_size 3 KB



cache_swap_low 90

cache_swap_high 95

maximum_object_size_in_memory 512 KB

memory_replacement_policy lru

logfile_rotate 4


try this doc



iptables -t nat -A PREROUTING -i eth0 ! -s 109.0.0.110 -p tcp --dport 80 -j DNAT --to 109.0.0.110:3128

iptables -t nat -A POSTROUTING -o eth0 -s 109.0.0.8/32 -d 109.0.0.110/32 -j SNAT --to 109.0.0.1

iptables -A FORWARD -s 109.0.0.8/32 -d 109.0.0.110/32 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT


prescribed iptables



I try to open a site on a test Windows (109.0.0.8) - access is denied, on Windows the gateway is 109.0.0.1, in the logs on squid



1546203601.533      0 109.0.0.110 TCP_MISS/403 4857 GET http://myip.ru/ - HIER_NONE/- text/html

1546203601.533      1 109.0.0.1 TCP_MISS/403 4977 GET http://myip.ru/ - ORIGINAL_DST/109.0.0.110 text/html


tcpdump squid server



11:00:57.141246 IP 109.0.0.8.54026 > myip.ru.http: Flags [F.], seq 1, ack 1, win 2087, length 0

11:00:57.141570 IP 109.0.0.8.54030 > myip.ru.http: Flags [S], seq 1736419147, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

11:00:57.141971 IP myip.ru.http > 109.0.0.8.54026: Flags [.], ack 2, win 58, length 0

11:00:57.142115 IP myip.ru.http > 109.0.0.8.54026: Flags [F.], seq 1, ack 2, win 58, length 0

11:00:57.142304 IP myip.ru.http > 109.0.0.8.54030: Flags [S.], seq 4065681746, ack 1736419148, win 29200, options [mss 1452,nop,nop,sackOK,nop,wscale 9], length 0

11:00:57.142363 IP 109.0.0.8.54026 > myip.ru.http: Flags [.], ack 2, win 2087, length 0

11:00:57.142505 IP 109.0.0.8.54030 > myip.ru.http: Flags [.], ack 1, win 260, length 0

11:00:57.144743 IP 109.0.0.8.54025 > myip.ru.http: Flags [P.], seq 2136:2856, ack 23054, win 2087, length 720: HTTP: GET / HTTP/1.1

11:00:57.146027 IP myip.ru.http > 109.0.0.8.54025: Flags [P.], seq 23054:23572, ack 2856, win 69, length 518: HTTP: HTTP/1.1 403 Forbidden


tell me what could be the problem, I will be grateful for any help?



Update



when you open a site on http by Windows, it is issued - 403, by https - an invalid certificate, the proxy server certificate is substituted in the browser, what am I doing wrong?



Update 2



when adding rules on a router



iptables -t nat -I PREROUTING -i eth0 -s 109.0.0.8 -p tcp --dport 80 -j DNAT --to 109.0.0.110:3128

iptables -t nat -I PREROUTING -i eth0 -s 109.0.0.8 -p tcp --dport 443 -j DNAT --to 109.0.0.110:3129

iptables -t nat -I POSTROUTING -o eth0 -s 109.0.0.8 -d 109.0.0.110 -j SNAT --to 109.0.0.1


proxy server rules



*nat

:PREROUTING ACCEPT [314:20555]

:INPUT ACCEPT [313:20511]

:OUTPUT ACCEPT [844:60999]

:POSTROUTING ACCEPT [2:130]

-A PREROUTING -s 109.0.0.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

-A PREROUTING -s 109.0.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

-A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A POSTROUTING -s 109.0.0.0/24 -j SNAT --to-source 109.0.0.110

-A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 109.0.0.110

-A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source 109.0.0.110

COMMIT

*filter

:INPUT ACCEPT [340:18626]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1809:273786]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -s 109.0.0.0/24 -j ACCEPT

-A INPUT -s 192.168.1.0/24 -j ACCEPT

-A INPUT -s 192.168.10.0/24 -j ACCEPT

-A INPUT -j LOG

-A INPUT -p tcp -m multiport --dports 3128:3130 -j DROP

-A FORWARD -s 109.0.0.0/24 -p udp -m multiport --dports 80,443 -j DROP

COMMIT


when you open a site on Windows on http, in cache.log



kid1| WARNING: Forwarding loop detected for:

GET / HTTP/1.1^M

Upgrade-Insecure-Requests: 1^M

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36^M

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8^M

Accept-Encoding: gzip, deflate^M

Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7^M

Via: 1.1 proxy.server (squid/3.5.27)^M

X-Forwarded-For: 109.0.0.1^M

Cache-Control: max-age=259200^M

Connection: keep-alive^M

Host: myip.ru^M

^M

kid1| WARNING: Forwarding loop detected for:

GET /favicon.ico HTTP/1.1^M

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36^M

Accept: image/webp,image/apng,image/*,*/*;q=0.8^M

Referer: http://myip.ru/^M

Accept-Encoding: gzip, deflate^M

Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7^M

Via: 1.1 proxy.server (squid/3.5.27)^M

X-Forwarded-For: 109.0.0.1^M

Cache-Control: max-age=259200^M

Connection: keep-alive^M

Host: myip.ru^M


in access.log



1546711344.892      0 109.0.0.110 TCP_MISS/403 4514 GET http://myip.ru/ - HIER_NONE/- text/html

1546711344.893      0 109.0.0.1 TCP_MISS/403 4634 GET http://myip.ru/ - ORIGINAL_DST/109.0.0.110 text/html

1546711344.913      0 109.0.0.110 TCP_MISS/403 4479 GET http://myip.ru/favicon.ico - HIER_NONE/- text/html

1546711344.913      0 109.0.0.1 TCP_MISS/403 4599 GET http://myip.ru/favicon.ico - ORIGINAL_DST/109.0.0.110 text/html



WARNING: Forwarding loop detected for




how to fix it, any help ?






proxy router transparent squid







share|improve this question
















there is already a configured transparent proxy squid-3.5.27, there is an EdgeOSEdgeRouter router



I want to make a circuit



all computers on the network -> router -> squid



squid - 109.0.0.110
router - 109.0.0.1
test Windows - 109.0.0.8



configuration squid.conf, version - squid-3.5.27



# You should use the same dns resolver on squid and all clients

dns_nameservers 127.0.0.1



# acls

acl localnet src 109.0.0.0/24        # RFC1918 possible internal network

acl localnet src 192.168.1.0/24 # RFC1918 possible internal network

acl localnet src 192.168.10.0/24        # RFC1918 possible internal network



acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT



acl blocked_http dstdomain "/etc/squid/blocked_sites.txt"



# http access

http_access deny !Safe_ports



http_access deny CONNECT !SSL_ports



http_access allow localhost manager

http_access deny manager



http_access deny blocked_http



http_access allow localnet

http_access allow localhost

http_access deny all



http_port 3128 intercept

https_port 3129 intercept  ssl-bump connection-auth=off cert=/etc/squid/squidCA.pem

http_port 3130



always_direct allow all

sslproxy_cert_error allow all

sslproxy_flags DONT_VERIFY_PEER



acl blocked ssl::server_name "/etc/squid/blocked_https.txt"

acl whitelist src "/etc/squid/whitelist_ip.txt"

ssl_bump splice whitelist

acl step1 at_step SslBump1

ssl_bump peek step1



ssl_bump terminate blocked

ssl_bump splice all



sslcrtd_program /opt/source/squid-3.5.27/src/ssl/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1



acl YOUTUBE ssl::server_name .googlevideo.com

delay_pools 1

delay_class 1 2

delay_parameters 1 -1/-1 5120/5120

delay_access 1 allow YOUTUBE



coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|?) 0     0%      0

refresh_pattern .               0       20%     4320

cache_dir aufs /var/spool/squid 20000 49 256

maximum_object_size 61440 KB

minimum_object_size 3 KB



cache_swap_low 90

cache_swap_high 95

maximum_object_size_in_memory 512 KB

memory_replacement_policy lru

logfile_rotate 4


try this doc



iptables -t nat -A PREROUTING -i eth0 ! -s 109.0.0.110 -p tcp --dport 80 -j DNAT --to 109.0.0.110:3128

iptables -t nat -A POSTROUTING -o eth0 -s 109.0.0.8/32 -d 109.0.0.110/32 -j SNAT --to 109.0.0.1

iptables -A FORWARD -s 109.0.0.8/32 -d 109.0.0.110/32 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT


prescribed iptables



I try to open a site on a test Windows (109.0.0.8) - access is denied, on Windows the gateway is 109.0.0.1, in the logs on squid



1546203601.533      0 109.0.0.110 TCP_MISS/403 4857 GET http://myip.ru/ - HIER_NONE/- text/html

1546203601.533      1 109.0.0.1 TCP_MISS/403 4977 GET http://myip.ru/ - ORIGINAL_DST/109.0.0.110 text/html


tcpdump squid server



11:00:57.141246 IP 109.0.0.8.54026 > myip.ru.http: Flags [F.], seq 1, ack 1, win 2087, length 0

11:00:57.141570 IP 109.0.0.8.54030 > myip.ru.http: Flags [S], seq 1736419147, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

11:00:57.141971 IP myip.ru.http > 109.0.0.8.54026: Flags [.], ack 2, win 58, length 0

11:00:57.142115 IP myip.ru.http > 109.0.0.8.54026: Flags [F.], seq 1, ack 2, win 58, length 0

11:00:57.142304 IP myip.ru.http > 109.0.0.8.54030: Flags [S.], seq 4065681746, ack 1736419148, win 29200, options [mss 1452,nop,nop,sackOK,nop,wscale 9], length 0

11:00:57.142363 IP 109.0.0.8.54026 > myip.ru.http: Flags [.], ack 2, win 2087, length 0

11:00:57.142505 IP 109.0.0.8.54030 > myip.ru.http: Flags [.], ack 1, win 260, length 0

11:00:57.144743 IP 109.0.0.8.54025 > myip.ru.http: Flags [P.], seq 2136:2856, ack 23054, win 2087, length 720: HTTP: GET / HTTP/1.1

11:00:57.146027 IP myip.ru.http > 109.0.0.8.54025: Flags [P.], seq 23054:23572, ack 2856, win 69, length 518: HTTP: HTTP/1.1 403 Forbidden


tell me what could be the problem, I will be grateful for any help?



Update



when you open a site on http by Windows, it is issued - 403, by https - an invalid certificate, the proxy server certificate is substituted in the browser, what am I doing wrong?



Update 2



when adding rules on a router



iptables -t nat -I PREROUTING -i eth0 -s 109.0.0.8 -p tcp --dport 80 -j DNAT --to 109.0.0.110:3128

iptables -t nat -I PREROUTING -i eth0 -s 109.0.0.8 -p tcp --dport 443 -j DNAT --to 109.0.0.110:3129

iptables -t nat -I POSTROUTING -o eth0 -s 109.0.0.8 -d 109.0.0.110 -j SNAT --to 109.0.0.1


proxy server rules



*nat

:PREROUTING ACCEPT [314:20555]

:INPUT ACCEPT [313:20511]

:OUTPUT ACCEPT [844:60999]

:POSTROUTING ACCEPT [2:130]

-A PREROUTING -s 109.0.0.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

-A PREROUTING -s 109.0.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

-A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A POSTROUTING -s 109.0.0.0/24 -j SNAT --to-source 109.0.0.110

-A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 109.0.0.110

-A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source 109.0.0.110

COMMIT

*filter

:INPUT ACCEPT [340:18626]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1809:273786]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -s 109.0.0.0/24 -j ACCEPT

-A INPUT -s 192.168.1.0/24 -j ACCEPT

-A INPUT -s 192.168.10.0/24 -j ACCEPT

-A INPUT -j LOG

-A INPUT -p tcp -m multiport --dports 3128:3130 -j DROP

-A FORWARD -s 109.0.0.0/24 -p udp -m multiport --dports 80,443 -j DROP

COMMIT


when you open a site on Windows on http, in cache.log



kid1| WARNING: Forwarding loop detected for:

GET / HTTP/1.1^M

Upgrade-Insecure-Requests: 1^M

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36^M

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8^M

Accept-Encoding: gzip, deflate^M

Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7^M

Via: 1.1 proxy.server (squid/3.5.27)^M

X-Forwarded-For: 109.0.0.1^M

Cache-Control: max-age=259200^M

Connection: keep-alive^M

Host: myip.ru^M

^M

kid1| WARNING: Forwarding loop detected for:

GET /favicon.ico HTTP/1.1^M

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36^M

Accept: image/webp,image/apng,image/*,*/*;q=0.8^M

Referer: http://myip.ru/^M

Accept-Encoding: gzip, deflate^M

Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7^M

Via: 1.1 proxy.server (squid/3.5.27)^M

X-Forwarded-For: 109.0.0.1^M

Cache-Control: max-age=259200^M

Connection: keep-alive^M

Host: myip.ru^M


in access.log



1546711344.892      0 109.0.0.110 TCP_MISS/403 4514 GET http://myip.ru/ - HIER_NONE/- text/html

1546711344.893      0 109.0.0.1 TCP_MISS/403 4634 GET http://myip.ru/ - ORIGINAL_DST/109.0.0.110 text/html

1546711344.913      0 109.0.0.110 TCP_MISS/403 4479 GET http://myip.ru/favicon.ico - HIER_NONE/- text/html

1546711344.913      0 109.0.0.1 TCP_MISS/403 4599 GET http://myip.ru/favicon.ico - ORIGINAL_DST/109.0.0.110 text/html



WARNING: Forwarding loop detected for




how to fix it, any help ?






proxy router transparent squid




proxy router transparent squid






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 5 at 19:59







Garcia

















asked Jan 2 at 14:20









GarciaGarcia

13




13













  • if I prescribe a gateway on Windows - 109.0.0.110, then everything works without firewall rules, but you need to configure it to work through a router - 109.0.0.1

    – Garcia
    Jan 3 at 14:02



















  • if I prescribe a gateway on Windows - 109.0.0.110, then everything works without firewall rules, but you need to configure it to work through a router - 109.0.0.1

    – Garcia
    Jan 3 at 14:02

















if I prescribe a gateway on Windows - 109.0.0.110, then everything works without firewall rules, but you need to configure it to work through a router - 109.0.0.1

– Garcia
Jan 3 at 14:02





if I prescribe a gateway on Windows - 109.0.0.110, then everything works without firewall rules, but you need to configure it to work through a router - 109.0.0.1

– Garcia
Jan 3 at 14:02












0






active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54007978%2fsquid-transparent-proxy-intercept-router%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54007978%2fsquid-transparent-proxy-intercept-router%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

MongoDB - Not Authorized To Execute Command

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I have successfully enabled authorization on MongoDB and I have created an account on the admin database and then I created an account for my database called test. The following connection string to connect to my test database works successfully: mongo --host 192.168.17.52 --port 27017 -u user1 -p password --authenticationDatabase test Only problem I have now is, I cannot execute commands such as: show dbs. I get the following error when I try to do so: "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, lsid: { id: UUID("a1d5bc0d-bc58-485e-b232-270758a89455") }, $db: "admin...
Read more

How to fix TextFormField cause rebuild widget in Flutter

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I've got the same issue at #9280. I tried all solutions from that topic with/without GlobalKey for Scaffold and Form but the problem wasn't fixed. I tried to build a authentication form with login and signup. But the keyboard doesn't show when I tap the TextFormField at the first time. Then I try to input some letter from physical keyboard, the widget is rebuilt. Like this: login screen Nothing to be log when I run flutter run --verbose, so I logged manually. Every tapping on field, the widget called dispose -> init -> build. [√] Flutter (Channel beta, v1.0.0, on Microsoft Windows [Version 10.0.17763.195], ...
Read more

in spring boot 2.1 many test slices are not allowed anymore due to multiple @BootstrapWith

Image
1 I tried to upgrade a yummy sandwich made of two test slices (@JsonTest and @JdbcTest in my case, crunchy test code in between) adding spring boot 2.1 flavour to it. But it seems it was not much of a success. I cannot annotate my tests with many @...Test since they are now each bringing their own XxxTestContextBootstrapper. It used to work when they all used same SpringBootTestContextBootstrapper. @RunWith(SpringRunner.class) @JdbcTest @JsonTest public class Test { @Test public void test() { System.out.printn("Hello, World !"); } } The error I get from BootstrapUtils is illegalStateException : Configuration error: found multiple declarations of @BootstrapWith for test class I understand I might be doing something wrong here but is there an easy way I could load both Json and Jdbc contex...
Read more