JujuBickoille
n00b
Joined: 20 Apr 2010
Posts: 15
|
 Posted: Thu Nov 29, 2012 8:29 pm Post subject: Squid Error : ERROR: No forward-proxy ports configured. |
 |
|
Squid Error : ERROR: No forward-proxy ports configured.
Hi there,
I want to install on my Gentoo's box a squid server and redirect dport http to squid
it seem's to be easy to do, but I got a strange message in my cache.log
"kid1| ERROR: No forward-proxy ports configured."
My Network :
---------------------- ---------------------- ----------------------
- Wireless Network - - Ethernet Network - - VPN Network -
- 192.168.122.0/24 - - 192.168.101.0/24 - - 10.8.0.0/24 -
- if : wifi - - if : lan - - if : tap0 -
---------------------- ---------------------- ----------------------
---------------------------------
- Gentoo's Box -
- ip : wan 109.x.x.1 -
- ip : lan 192.168.101.1/24 -
- ip : wifi 192.168.122.1/24 -
---------------------------------
My Iptables script ( I use juste for generate, when it's okay I use /etc/init.d/iptables save )
#!/bin/bash
### Some Variables ###
ROUTER_IP=109.x.x.1
ROUTER_NET=109.x.x.0/24
SERV_IP=109.x.x.15
LAN_IP=192.168.101.1
LAN_NET=192.168.101.0/24
WIFI_IP=192.168.122.1
WIFI_NET=192.168.122.0/24
#Custom Ports
VPN_PORT=1194
BITTORENT_PORT=1337
BITTORENT_DST="192.168.101.100"
SQUID_PORT=3128
### Flush ###
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t filter -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
### Set Default Policy to DROP ###
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
# loopback accept
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
### INPUT POLICY ###
echo Enable SSH + log
iptables -N WAN_INPUT
iptables -A WAN_INPUT -p TCP --dport ssh -j LOG --log-prefix 'WAN_SSH '
iptables -A WAN_INPUT -p TCP --dport ssh -j ACCEPT
echo OpenVPN
iptables -A WAN_INPUT -p TCP --dport ${VPN_PORT} -j LOG --log-prefix "OpenVPN "
iptables -A WAN_INPUT -p TCP --dport ${VPN_PORT} -j ACCEPT
echo Log and Drop SERVER INPUT
iptables -A WAN_INPUT -j LOG --log-prefix 'WAN_INPUT_DROP '
echo INPUT from LANs ( Ethernet and Wireless )
iptables -N LAN_INPUT
iptables -A LAN_INPUT -p UDP --dport domain -j ACCEPT
iptables -A LAN_INPUT -p TCP --dport 3128 -j ACCEPT
iptables -A LAN_INPUT -p TCP --dport ssh -j ACCEPT
iptables -A LAN_INPUT -p UDP --dport ntp -j ACCEPT
iptables -A LAN_INPUT -j LOG --log-prefix 'LAN_INPUT_DROP '
## Redirect new connexion to good chain
# Accept DHCP requests from Local
iptables -A INPUT -m conntrack --ctstate NEW ! -i wan -p UDP --dport bootps -j ACCEPT
# Incoming from wan
iptables -A INPUT -m conntrack --ctstate NEW -i wan -d ${SERV_IP}/32 -j WAN_INPUT
# Incoming from wireless and ethernet ( we don't open anything from VPN )
iptables -A INPUT -m conntrack --ctstate NEW -i lan -s ${LAN_NET} -j LAN_INPUT
iptables -A INPUT -m conntrack --ctstate NEW -i wifi -s ${WIFI_NET} -j LAN_INPUT
# We accept related / established
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# We log anything rest ( usually commented )
iptables -A INPUT -j LOG --log-prefix 'INPUT_ALL_DROP '
### OUTPUT POLICY ###
iptables -N WAN_OUT
# I don't want server communicate with his subnetwork, except router ( not needed with public IP )
iptables -A WAN_OUT ! -d ${ROUTER_NET} -j ACCEPT
iptables -A WAN_OUT -d ${ROUTER_IP} -j ACCEPT
# I log anythings rest
iptables -A WAN_OUT -j LOG --log-prefix 'WAN_OUT_DROP '
# Add all OUTPUT to the WAN_OUT chain
iptables -A OUTPUT -o wan -j WAN_OUT
### LAN_OUTPUT : not really interesting
iptables -N LAN_OUT
iptables -A LAN_OUT -d ${LAN_NET} -j ACCEPT
iptables -A LAN_OUT -j LOG --log-prefix 'LAN_OUT_DROP '
iptables -N WIFI_OUTPUT
iptables -A WIFI_OUTPUT -d ${WIFI_NET} -j ACCEPT
iptables -A WIFI_OUTPUT -j LOG --log-prefix 'WIFI_OUT_DROP '
iptables -A OUTPUT -o lan -j LAN_OUT
iptables -A OUTPUT -o wifi -j WIFI_OUTPUT
iptables -A OUTPUT -j LOG --log-prefix 'OUTPUT_ALL_DROP '
### NAT ###
# Permit internet forwards to LAN network ( except for wan network )
# same previeously, i don't want router talk with LANs
/sbin/iptables -A FORWARD -i wan ! -s ${ROUTER_NET} -o lan -d ${LAN_NET} -j ACCEPT
/sbin/iptables -A FORWARD -i wan ! -s ${ROUTER_NET} -o wifi -d ${WIFI_NET} -j ACCEPT
# and LANs talk with wan router
/sbin/iptables -A FORWARD -i lan -s ${LAN_NET} -o wan ! -d ${ROUTER_NET} -j ACCEPT
/sbin/iptables -A FORWARD -i wifi -s ${WIFI_NET} -o wan ! -d ${ROUTER_NET} -j ACCEPT
# This must be disabled ! we don't want wireless and ethernet talk togather
#/sbin/iptables -A FORWARD -i wifi -s 192.168.122.0/24 -o lan -d 192.168.101.0/24 -j ACCEPT
#/sbin/iptables -A FORWARD -o wifi -d 192.168.122.0/24 -i lan -s 192.168.101.0/24 -j ACCEPT
# We log failed
iptables -A FORWARD -j LOG --log-prefix 'FORWARD_DROP '
#Redirect Bittorent to BITTORENT_DST
iptables -t nat -A PREROUTING -p tcp --dport ${BITTORENT_PORT} -i wan -j DNAT --to ${BITTORENT_DST}
iptables -t nat -A PREROUTING -p udp --dport ${BITTORENT_PORT} -i wan -j DNAT --to ${BITTORENT_DST}
# Redirect http trafic to squid
iptables -t nat -A PREROUTING -p tcp --dport http -i lan -s ${LAN_NET} -j REDIRECT --to-port ${SQUID_PORT}
iptables -t nat -A PREROUTING -p tcp --dport http -i wifi -s ${LAN_NET} -j REDIRECT --to-port ${SQUID_PORT}
# Redirect LANs NTP Trafic to server
iptables -t nat -A PREROUTING -p udp --dport ntp -i lan -s ${LAN_NET} -j DNAT --to-destination ${LAN_IP}:123
iptables -t nat -A PREROUTING -p udp --dport ntp -i wifi -s ${LAN_NET} -j DNAT --to-destination ${WIFI_IP}:123
# Redirect LANs DNS Trafic to server
iptables -t nat -A PREROUTING -p udp --dport domain -i lan -s ${LAN_NET} -j DNAT --to-destination ${LAN_IP}:53
iptables -t nat -A PREROUTING -p udp --dport domain -i wifi -s ${LAN_NET} -j DNAT --to-destination ${WIFI_IP}:53
# Finally, SNATing NAT Trafic with Public IP - aka NAT to world
/sbin/iptables -t nat -A POSTROUTING -o wan -j SNAT --to ${SERV_IP}
There is nothing of exceptionnal, I think
Now this is my squid conf
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
#http_port 3128 intercept # I've try this too
http_port 3128 transparent
#http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mem 256 MB
half_closed_clients off
dns_nameservers 127.0.0.1 # I'm using my local DNSMASQ's DNS Server
visible_hostname 145.x.x.109.x.x.net # I got warning if I don't set it :X (or maybe add it to /etc/hosts
# WARNING: 'server' rDNS test failed: (0) No error.
# WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.
My Server is using a CF as HDD, so I don't want to cache on HDD ( I use 50% of avaible memory )
Everything seem to be okay, but I got this n my /var/log/squid/cache.log :
ERROR: No forward-proxy ports configured.
I've try to remove my iptables rule for redirect http -> 3128 and add manually in my webbrowser proxy and it seem to be good
but I prefer do it with a iptables rule for do it work without configuration
Maybe someone have idea ?
thanks |
|
Networking & Security
