View previous topic :: View next topic |
Author |
Message |
mungo_k n00b
Joined: 01 Jun 2009 Posts: 42
|
Posted: Tue Feb 19, 2013 7:36 am Post subject: Iptables+squid+https+adls=problem |
|
|
Problem: cannot connect to gmail. I think this is because my router on gentoo works with adsl modem (MTU size 1400, 1500 on lan).
I read http://www.gentoo.org/doc/en/home-router-howto.xml and just copy all instructions.
When I set proxy in my browser to squid port 3128, it works.
But works only in squid 3.1. In 3.2 squid fails to start with my config.
Any help? |
|
Back to top |
|
|
truc Advocate
Joined: 25 Jul 2005 Posts: 3199
|
Posted: Tue Feb 19, 2013 2:38 pm Post subject: |
|
|
How do you want us to help you? What are the errors? Check the log!
Also, for PMTU, be sure not to filter excessively ICMP messages. _________________ The End of the Internet! |
|
Back to top |
|
|
666threesixes666 Veteran
Joined: 31 May 2011 Posts: 1248 Location: 42.68n 85.41w
|
Posted: Tue Feb 19, 2013 3:19 pm Post subject: |
|
|
i just populated some squid stuff on wiki.gentoo.org.... can you get gmail with out squid?
maybe
then
im getting it fine with manual browser proxy configuration 127.0.0.1:3128 for all protocols.
i did no editing to /etc/squid/squid.conf.....
if those fail, try on the actual server to turn iptables off and then re dig both if that fails, turn squid and ip tables off.... basically dial down the complexity of your problem, then start to dial it up again to find your point of failure. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Tue Feb 19, 2013 6:01 pm Post subject: Re: Iptables+squid+https+adls=problem |
|
|
mungo_k wrote: | cannot connect to gmail |
Maybe the current openssl connection bug. |
|
Back to top |
|
|
mungo_k n00b
Joined: 01 Jun 2009 Posts: 42
|
Posted: Wed Feb 20, 2013 5:57 am Post subject: |
|
|
About squid: with default config (comes with new squid) it just report to user with proxy set that it cannot show the page due to permissions. When proxy in browser doesn't set, it works for http.
Old config in 3.2 not work at all. Squid can't start, say, "manager already set". My squid.conf was 200 kb due to comments. Well, clear version:
Code: | acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com # multiling http
acl wuCONNECT dstdomain sls.microsoft.com # SWAT
acl hlv dstdomain "/etc/squid/gs.txt"
acl GoodComps src "/etc/squid/gc.txt"
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet
http_access allow hlv
http_access allow GoodComps
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128 transparent
https_port 3128 transparent key=/etc/squid/key.pem cert=/etc/squid/certificate.pem
hierarchy_stoplist cgi-bin ?
cache_mem 1 GB
cache_dir ufs /var/cache/squid 8192 16 256
maximum_object_size 512 MB
coredump_dir /var/cache/squid
url_rewrite_program /usr/bin/squidGuard
url_rewrite_children 15
url_rewrite_access deny localhost
url_rewrite_access deny SSL_ports
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_min -1 KB
range_offset_limit -1
|
And of course iptables rules:
Code: | # Generated by iptables-save v1.4.16.3 on Tue Feb 19 17:30:42 2013
*mangle
:PREROUTING ACCEPT [2085892933:1332602786724]
:INPUT ACCEPT [1055375193:702204536694]
:FORWARD ACCEPT [1029724121:630203068655]
:OUTPUT ACCEPT [1214883374:537016737047]
:POSTROUTING ACCEPT [2194084094:1164799323692]
COMMIT
# Completed on Tue Feb 19 17:30:42 2013
# Generated by iptables-save v1.4.16.3 on Tue Feb 19 17:30:42 2013
*nat
:PREROUTING ACCEPT [123368:9283729]
:INPUT ACCEPT [95312:5939063]
:OUTPUT ACCEPT [33085:2190534]
:POSTROUTING ACCEPT [903:78442]
:MINIUPNPD - [0:0]
[15564:764440] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
[75644:6208874] -A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Tue Feb 19 17:30:42 2013
# Generated by iptables-save v1.4.16.3 on Tue Feb 19 17:30:42 2013
*filter
:INPUT ACCEPT [5123341:4527601844]
:FORWARD DROP [114:5512]
:OUTPUT ACCEPT [5968890:1619465226]
:MINIUPNPD - [0:0]
[9424:1673166] -A INPUT -i lo -j ACCEPT
[404579:57419526] -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 21,22,80,443,1723,3128,10000 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 25,53,110,587,993,5190 -j ACCEPT
[5887:367969] -A INPUT -i eth0 -p udp -m udp -m multiport --dports 53,123 -j ACCEPT
[3:168] -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j DROP
[0:0] -A INPUT -i ppp0 -p tcp -m tcp -m multiport --dports 137,138,139 -j DROP
[0:0] -A INPUT -i ppp0 -p udp -m udp -m multiport --dports 137,138,139 -j DROP
[0:0] -A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP
[2417885:561406042] -A FORWARD -s 192.168.1.21/32 -i eth0 -j ACCEPT
[3545280:3070218779] -A FORWARD -d 192.168.1.0/24 -i ppp+ -j ACCEPT
[314262:15057257] -A FORWARD -s 192.168.1.32/32 -i eth0 -j ACCEPT
[12794:960244] -A FORWARD -s 192.168.1.19/32 -i eth0 -j ACCEPT
[5321:479643] -A FORWARD -s 192.168.1.25/32 -i eth0 -j ACCEPT
[0:0] -A FORWARD -s 192.168.1.35/32 -i eth0 -j ACCEPT
[0:0] -A FORWARD -s 192.168.1.5/32 -i eth0 -j ACCEPT
[7391:480286] -A FORWARD -s 192.168.1.2/32 -i eth0 -j ACCEPT
[1062:77458] -A FORWARD -i eth0 -o ppp0 -p tcp -m tcp -m multiport --dports 123,5190 -j ACCEPT
[4:304] -A FORWARD -i eth0 -o ppp0 -p udp -m udp -m multiport --dports 123,5190 -j ACCEPT
[447:182924] -A FORWARD -s 192.168.1.3/32 -i eth0 -j ACCEPT
[552:39598] -A FORWARD -s 192.168.1.18/32 -i eth0 -j ACCEPT
[248:37429] -A FORWARD -s 192.168.1.64/26 -i eth0 -j ACCEPT
[566:27793] -A FORWARD -s 192.168.1.27/32 -i eth0 -j ACCEPT
[107:12197] -A FORWARD -s 192.168.1.29/32 -i eth0 -j ACCEPT
[3527:366668] -A FORWARD -s 192.168.1.14/32 -i eth0 -j ACCEPT
[12708:1808586] -A FORWARD -s 192.168.1.30/32 -i eth0 -j ACCEPT
[23:1016] -A FORWARD -s 192.168.1.15/32 -i eth0 -j ACCEPT
[4234:396860] -A FORWARD -s 192.168.1.8/32 -i eth0 -j ACCEPT
[0:0] -A FORWARD -s 192.168.1.12/32 -i eth0 -j ACCEPT
[173:12652] -A FORWARD -s 192.168.1.6/32 -i eth0 -j ACCEPT
[8758:673910] -A FORWARD -s 192.168.1.28/32 -i eth0 -j ACCEPT
COMMIT
# Completed on Tue Feb 19 17:30:42 2013
|
|
|
Back to top |
|
|
mungo_k n00b
Joined: 01 Jun 2009 Posts: 42
|
Posted: Tue Feb 26, 2013 5:55 am Post subject: |
|
|
Can anyone help me with? |
|
Back to top |
|
|
truc Advocate
Joined: 25 Jul 2005 Posts: 3199
|
Posted: Tue Feb 26, 2013 9:46 am Post subject: |
|
|
add a log target and monitor your firewall log.
Also, does it work from the router? (you can use use ssh -D9999 router, from a host on your LAN, then from your browser try to go to gmail using the socks proxy localhost:9999
Oh, just notice you have a transparent proxy configured, does the problem also happen when you configure your browser to use(explicitely!) this proxy? _________________ The End of the Internet! |
|
Back to top |
|
|
mungo_k n00b
Joined: 01 Jun 2009 Posts: 42
|
Posted: Wed Feb 27, 2013 2:04 pm Post subject: |
|
|
From server it works ok in any case - gmail opens easy.
The problem is only when browser on client machine is NOT configured to use proxy. |
|
Back to top |
|
|
truc Advocate
Joined: 25 Jul 2005 Posts: 3199
|
Posted: Wed Feb 27, 2013 10:47 pm Post subject: |
|
|
Then, it's probably as you say in the beginning, something related to the MTU and the MSS, first, this should not happen if ICMP is not blindly dropped, but the problem might not come from your firewall(but check it anyway!), in that case, check iptables manual or the net for how to use the --clamp-mss-to-mtu, this should fix your problem hopefully! _________________ The End of the Internet! |
|
Back to top |
|
|
|