Squid Error : ERROR: No forward-proxy ports configured.

Message

JujuBickoille · Post by **JujuBickoille** » Thu Nov 29, 2012 8:29 pm

Squid Error : ERROR: No forward-proxy ports configured.

Hi there,

I want to install on my Gentoo's box a squid server and redirect dport http to squid

it seem's to be easy to do, but I got a strange message in my cache.log

"kid1| ERROR: No forward-proxy ports configured."

My Network :

---------------------- ---------------------- ----------------------
- Wireless Network - - Ethernet Network - - VPN Network -
- 192.168.122.0/24 - - 192.168.101.0/24 - - 10.8.0.0/24 -
- if : wifi - - if : lan - - if : tap0 -
---------------------- ---------------------- ----------------------

---------------------------------
- Gentoo's Box -
- ip : wan 109.x.x.1 -
- ip : lan 192.168.101.1/24 -
- ip : wifi 192.168.122.1/24 -
---------------------------------

My Iptables script ( I use juste for generate, when it's okay I use /etc/init.d/iptables save )

#!/bin/bash

### Some Variables ###
ROUTER_IP=109.x.x.1
ROUTER_NET=109.x.x.0/24
SERV_IP=109.x.x.15

LAN_IP=192.168.101.1
LAN_NET=192.168.101.0/24

WIFI_IP=192.168.122.1
WIFI_NET=192.168.122.0/24

#Custom Ports
VPN_PORT=1194

BITTORENT_PORT=1337
BITTORENT_DST="192.168.101.100"

SQUID_PORT=3128

### Flush ###
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t filter -F
/sbin/iptables -t mangle -F
/sbin/iptables -X

### Set Default Policy to DROP ###
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP

# loopback accept
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

### INPUT POLICY ###

echo Enable SSH + log
iptables -N WAN_INPUT
iptables -A WAN_INPUT -p TCP --dport ssh -j LOG --log-prefix 'WAN_SSH '
iptables -A WAN_INPUT -p TCP --dport ssh -j ACCEPT

echo OpenVPN
iptables -A WAN_INPUT -p TCP --dport ${VPN_PORT} -j LOG --log-prefix "OpenVPN "
iptables -A WAN_INPUT -p TCP --dport ${VPN_PORT} -j ACCEPT

echo Log and Drop SERVER INPUT
iptables -A WAN_INPUT -j LOG --log-prefix 'WAN_INPUT_DROP '

echo INPUT from LANs ( Ethernet and Wireless )
iptables -N LAN_INPUT
iptables -A LAN_INPUT -p UDP --dport domain -j ACCEPT
iptables -A LAN_INPUT -p TCP --dport 3128 -j ACCEPT
iptables -A LAN_INPUT -p TCP --dport ssh -j ACCEPT
iptables -A LAN_INPUT -p UDP --dport ntp -j ACCEPT

iptables -A LAN_INPUT -j LOG --log-prefix 'LAN_INPUT_DROP '

## Redirect new connexion to good chain
# Accept DHCP requests from Local
iptables -A INPUT -m conntrack --ctstate NEW ! -i wan -p UDP --dport bootps -j ACCEPT
# Incoming from wan
iptables -A INPUT -m conntrack --ctstate NEW -i wan -d ${SERV_IP}/32 -j WAN_INPUT
# Incoming from wireless and ethernet ( we don't open anything from VPN )
iptables -A INPUT -m conntrack --ctstate NEW -i lan -s ${LAN_NET} -j LAN_INPUT
iptables -A INPUT -m conntrack --ctstate NEW -i wifi -s ${WIFI_NET} -j LAN_INPUT
# We accept related / established
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# We log anything rest ( usually commented )
iptables -A INPUT -j LOG --log-prefix 'INPUT_ALL_DROP '

### OUTPUT POLICY ###

iptables -N WAN_OUT
# I don't want server communicate with his subnetwork, except router ( not needed with public IP )
iptables -A WAN_OUT ! -d ${ROUTER_NET} -j ACCEPT
iptables -A WAN_OUT -d ${ROUTER_IP} -j ACCEPT
# I log anythings rest
iptables -A WAN_OUT -j LOG --log-prefix 'WAN_OUT_DROP '

# Add all OUTPUT to the WAN_OUT chain
iptables -A OUTPUT -o wan -j WAN_OUT

### LAN_OUTPUT : not really interesting
iptables -N LAN_OUT
iptables -A LAN_OUT -d ${LAN_NET} -j ACCEPT
iptables -A LAN_OUT -j LOG --log-prefix 'LAN_OUT_DROP '

iptables -N WIFI_OUTPUT
iptables -A WIFI_OUTPUT -d ${WIFI_NET} -j ACCEPT
iptables -A WIFI_OUTPUT -j LOG --log-prefix 'WIFI_OUT_DROP '

iptables -A OUTPUT -o lan -j LAN_OUT
iptables -A OUTPUT -o wifi -j WIFI_OUTPUT

iptables -A OUTPUT -j LOG --log-prefix 'OUTPUT_ALL_DROP '

### NAT ###

# Permit internet forwards to LAN network ( except for wan network )
# same previeously, i don't want router talk with LANs
/sbin/iptables -A FORWARD -i wan ! -s ${ROUTER_NET} -o lan -d ${LAN_NET} -j ACCEPT
/sbin/iptables -A FORWARD -i wan ! -s ${ROUTER_NET} -o wifi -d ${WIFI_NET} -j ACCEPT
# and LANs talk with wan router
/sbin/iptables -A FORWARD -i lan -s ${LAN_NET} -o wan ! -d ${ROUTER_NET} -j ACCEPT
/sbin/iptables -A FORWARD -i wifi -s ${WIFI_NET} -o wan ! -d ${ROUTER_NET} -j ACCEPT

# This must be disabled ! we don't want wireless and ethernet talk togather
#/sbin/iptables -A FORWARD -i wifi -s 192.168.122.0/24 -o lan -d 192.168.101.0/24 -j ACCEPT
#/sbin/iptables -A FORWARD -o wifi -d 192.168.122.0/24 -i lan -s 192.168.101.0/24 -j ACCEPT

# We log failed
iptables -A FORWARD -j LOG --log-prefix 'FORWARD_DROP '

#Redirect Bittorent to BITTORENT_DST
iptables -t nat -A PREROUTING -p tcp --dport ${BITTORENT_PORT} -i wan -j DNAT --to ${BITTORENT_DST}
iptables -t nat -A PREROUTING -p udp --dport ${BITTORENT_PORT} -i wan -j DNAT --to ${BITTORENT_DST}

# Redirect http trafic to squid
iptables -t nat -A PREROUTING -p tcp --dport http -i lan -s ${LAN_NET} -j REDIRECT --to-port ${SQUID_PORT}
iptables -t nat -A PREROUTING -p tcp --dport http -i wifi -s ${LAN_NET} -j REDIRECT --to-port ${SQUID_PORT}

# Redirect LANs NTP Trafic to server
iptables -t nat -A PREROUTING -p udp --dport ntp -i lan -s ${LAN_NET} -j DNAT --to-destination ${LAN_IP}:123
iptables -t nat -A PREROUTING -p udp --dport ntp -i wifi -s ${LAN_NET} -j DNAT --to-destination ${WIFI_IP}:123

# Redirect LANs DNS Trafic to server
iptables -t nat -A PREROUTING -p udp --dport domain -i lan -s ${LAN_NET} -j DNAT --to-destination ${LAN_IP}:53
iptables -t nat -A PREROUTING -p udp --dport domain -i wifi -s ${LAN_NET} -j DNAT --to-destination ${WIFI_IP}:53

# Finally, SNATing NAT Trafic with Public IP - aka NAT to world
/sbin/iptables -t nat -A POSTROUTING -o wan -j SNAT --to ${SERV_IP}

There is nothing of exceptionnal, I think

Now this is my squid conf

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 3128 intercept # I've try this too
http_port 3128 transparent
#http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_mem 256 MB
half_closed_clients off
dns_nameservers 127.0.0.1 # I'm using my local DNSMASQ's DNS Server

visible_hostname 145.x.x.109.x.x.net # I got warning if I don't set it :X (or maybe add it to /etc/hosts
# WARNING: 'server' rDNS test failed: (0) No error.
# WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.

My Server is using a CF as HDD, so I don't want to cache on HDD ( I use 50% of avaible memory )

Everything seem to be okay, but I got this n my /var/log/squid/cache.log :

ERROR: No forward-proxy ports configured.

I've try to remove my iptables rule for redirect http -> 3128 and add manually in my webbrowser proxy and it seem to be good
but I prefer do it with a iptables rule for do it work without configuration

Maybe someone have idea ?

thanks