Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Squid Error : ERROR: No forward-proxy ports configured.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
JujuBickoille
n00b
n00b


Joined: 20 Apr 2010
Posts: 13

PostPosted: Thu Nov 29, 2012 8:29 pm    Post subject: Squid Error : ERROR: No forward-proxy ports configured. Reply with quote

Squid Error : ERROR: No forward-proxy ports configured.

Hi there,

I want to install on my Gentoo's box a squid server and redirect dport http to squid

it seem's to be easy to do, but I got a strange message in my cache.log

"kid1| ERROR: No forward-proxy ports configured."


My Network :

---------------------- ---------------------- ----------------------
- Wireless Network - - Ethernet Network - - VPN Network -
- 192.168.122.0/24 - - 192.168.101.0/24 - - 10.8.0.0/24 -
- if : wifi - - if : lan - - if : tap0 -
---------------------- ---------------------- ----------------------

---------------------------------
- Gentoo's Box -
- ip : wan 109.x.x.1 -
- ip : lan 192.168.101.1/24 -
- ip : wifi 192.168.122.1/24 -
---------------------------------



My Iptables script ( I use juste for generate, when it's okay I use /etc/init.d/iptables save )

#!/bin/bash

### Some Variables ###
ROUTER_IP=109.x.x.1
ROUTER_NET=109.x.x.0/24
SERV_IP=109.x.x.15

LAN_IP=192.168.101.1
LAN_NET=192.168.101.0/24

WIFI_IP=192.168.122.1
WIFI_NET=192.168.122.0/24

#Custom Ports
VPN_PORT=1194

BITTORENT_PORT=1337
BITTORENT_DST="192.168.101.100"

SQUID_PORT=3128

### Flush ###
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t filter -F
/sbin/iptables -t mangle -F
/sbin/iptables -X

### Set Default Policy to DROP ###
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP


# loopback accept
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

### INPUT POLICY ###

echo Enable SSH + log
iptables -N WAN_INPUT
iptables -A WAN_INPUT -p TCP --dport ssh -j LOG --log-prefix 'WAN_SSH '
iptables -A WAN_INPUT -p TCP --dport ssh -j ACCEPT

echo OpenVPN
iptables -A WAN_INPUT -p TCP --dport ${VPN_PORT} -j LOG --log-prefix "OpenVPN "
iptables -A WAN_INPUT -p TCP --dport ${VPN_PORT} -j ACCEPT

echo Log and Drop SERVER INPUT
iptables -A WAN_INPUT -j LOG --log-prefix 'WAN_INPUT_DROP '

echo INPUT from LANs ( Ethernet and Wireless )
iptables -N LAN_INPUT
iptables -A LAN_INPUT -p UDP --dport domain -j ACCEPT
iptables -A LAN_INPUT -p TCP --dport 3128 -j ACCEPT
iptables -A LAN_INPUT -p TCP --dport ssh -j ACCEPT
iptables -A LAN_INPUT -p UDP --dport ntp -j ACCEPT

iptables -A LAN_INPUT -j LOG --log-prefix 'LAN_INPUT_DROP '

## Redirect new connexion to good chain
# Accept DHCP requests from Local
iptables -A INPUT -m conntrack --ctstate NEW ! -i wan -p UDP --dport bootps -j ACCEPT
# Incoming from wan
iptables -A INPUT -m conntrack --ctstate NEW -i wan -d ${SERV_IP}/32 -j WAN_INPUT
# Incoming from wireless and ethernet ( we don't open anything from VPN )
iptables -A INPUT -m conntrack --ctstate NEW -i lan -s ${LAN_NET} -j LAN_INPUT
iptables -A INPUT -m conntrack --ctstate NEW -i wifi -s ${WIFI_NET} -j LAN_INPUT
# We accept related / established
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# We log anything rest ( usually commented )
iptables -A INPUT -j LOG --log-prefix 'INPUT_ALL_DROP '

### OUTPUT POLICY ###

iptables -N WAN_OUT
# I don't want server communicate with his subnetwork, except router ( not needed with public IP )
iptables -A WAN_OUT ! -d ${ROUTER_NET} -j ACCEPT
iptables -A WAN_OUT -d ${ROUTER_IP} -j ACCEPT
# I log anythings rest
iptables -A WAN_OUT -j LOG --log-prefix 'WAN_OUT_DROP '

# Add all OUTPUT to the WAN_OUT chain
iptables -A OUTPUT -o wan -j WAN_OUT

### LAN_OUTPUT : not really interesting
iptables -N LAN_OUT
iptables -A LAN_OUT -d ${LAN_NET} -j ACCEPT
iptables -A LAN_OUT -j LOG --log-prefix 'LAN_OUT_DROP '

iptables -N WIFI_OUTPUT
iptables -A WIFI_OUTPUT -d ${WIFI_NET} -j ACCEPT
iptables -A WIFI_OUTPUT -j LOG --log-prefix 'WIFI_OUT_DROP '

iptables -A OUTPUT -o lan -j LAN_OUT
iptables -A OUTPUT -o wifi -j WIFI_OUTPUT

iptables -A OUTPUT -j LOG --log-prefix 'OUTPUT_ALL_DROP '


### NAT ###

# Permit internet forwards to LAN network ( except for wan network )
# same previeously, i don't want router talk with LANs
/sbin/iptables -A FORWARD -i wan ! -s ${ROUTER_NET} -o lan -d ${LAN_NET} -j ACCEPT
/sbin/iptables -A FORWARD -i wan ! -s ${ROUTER_NET} -o wifi -d ${WIFI_NET} -j ACCEPT
# and LANs talk with wan router
/sbin/iptables -A FORWARD -i lan -s ${LAN_NET} -o wan ! -d ${ROUTER_NET} -j ACCEPT
/sbin/iptables -A FORWARD -i wifi -s ${WIFI_NET} -o wan ! -d ${ROUTER_NET} -j ACCEPT

# This must be disabled ! we don't want wireless and ethernet talk togather
#/sbin/iptables -A FORWARD -i wifi -s 192.168.122.0/24 -o lan -d 192.168.101.0/24 -j ACCEPT
#/sbin/iptables -A FORWARD -o wifi -d 192.168.122.0/24 -i lan -s 192.168.101.0/24 -j ACCEPT

# We log failed
iptables -A FORWARD -j LOG --log-prefix 'FORWARD_DROP '

#Redirect Bittorent to BITTORENT_DST
iptables -t nat -A PREROUTING -p tcp --dport ${BITTORENT_PORT} -i wan -j DNAT --to ${BITTORENT_DST}
iptables -t nat -A PREROUTING -p udp --dport ${BITTORENT_PORT} -i wan -j DNAT --to ${BITTORENT_DST}

# Redirect http trafic to squid
iptables -t nat -A PREROUTING -p tcp --dport http -i lan -s ${LAN_NET} -j REDIRECT --to-port ${SQUID_PORT}
iptables -t nat -A PREROUTING -p tcp --dport http -i wifi -s ${LAN_NET} -j REDIRECT --to-port ${SQUID_PORT}

# Redirect LANs NTP Trafic to server
iptables -t nat -A PREROUTING -p udp --dport ntp -i lan -s ${LAN_NET} -j DNAT --to-destination ${LAN_IP}:123
iptables -t nat -A PREROUTING -p udp --dport ntp -i wifi -s ${LAN_NET} -j DNAT --to-destination ${WIFI_IP}:123

# Redirect LANs DNS Trafic to server
iptables -t nat -A PREROUTING -p udp --dport domain -i lan -s ${LAN_NET} -j DNAT --to-destination ${LAN_IP}:53
iptables -t nat -A PREROUTING -p udp --dport domain -i wifi -s ${LAN_NET} -j DNAT --to-destination ${WIFI_IP}:53


# Finally, SNATing NAT Trafic with Public IP - aka NAT to world
/sbin/iptables -t nat -A POSTROUTING -o wan -j SNAT --to ${SERV_IP}



There is nothing of exceptionnal, I think

Now this is my squid conf

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 3128 intercept # I've try this too
http_port 3128 transparent
#http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320


cache_mem 256 MB
half_closed_clients off
dns_nameservers 127.0.0.1 # I'm using my local DNSMASQ's DNS Server

visible_hostname 145.x.x.109.x.x.net # I got warning if I don't set it :X (or maybe add it to /etc/hosts
# WARNING: 'server' rDNS test failed: (0) No error.
# WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.



My Server is using a CF as HDD, so I don't want to cache on HDD ( I use 50% of avaible memory )


Everything seem to be okay, but I got this n my /var/log/squid/cache.log :

ERROR: No forward-proxy ports configured.


I've try to remove my iptables rule for redirect http -> 3128 and add manually in my webbrowser proxy and it seem to be good
but I prefer do it with a iptables rule for do it work without configuration

Maybe someone have idea ?


thanks
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum