Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Iptables+squid+https+adls=problem
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mungo_k
n00b
n00b


Joined: 01 Jun 2009
Posts: 42

PostPosted: Tue Feb 19, 2013 7:36 am    Post subject: Iptables+squid+https+adls=problem Reply with quote

Problem: cannot connect to gmail. I think this is because my router on gentoo works with adsl modem (MTU size 1400, 1500 on lan).
I read http://www.gentoo.org/doc/en/home-router-howto.xml and just copy all instructions.
When I set proxy in my browser to squid port 3128, it works.
But works only in squid 3.1. In 3.2 squid fails to start with my config.

Any help?
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Tue Feb 19, 2013 2:38 pm    Post subject: Reply with quote

How do you want us to help you? What are the errors? Check the log!

Also, for PMTU, be sure not to filter excessively ICMP messages.
_________________
The End of the Internet!
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w

PostPosted: Tue Feb 19, 2013 3:19 pm    Post subject: Reply with quote

i just populated some squid stuff on wiki.gentoo.org.... can you get gmail with out squid?

maybe

Code:

dig gmail.com

then
Code:

dig google.com


im getting it fine with manual browser proxy configuration 127.0.0.1:3128 for all protocols.

i did no editing to /etc/squid/squid.conf.....

if those fail, try on the actual server to turn iptables off and then re dig both if that fails, turn squid and ip tables off.... basically dial down the complexity of your problem, then start to dial it up again to find your point of failure.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Tue Feb 19, 2013 6:01 pm    Post subject: Re: Iptables+squid+https+adls=problem Reply with quote

mungo_k wrote:
cannot connect to gmail

Maybe the current openssl connection bug.
Back to top
View user's profile Send private message
mungo_k
n00b
n00b


Joined: 01 Jun 2009
Posts: 42

PostPosted: Wed Feb 20, 2013 5:57 am    Post subject: Reply with quote

About squid: with default config (comes with new squid) it just report to user with proxy set that it cannot show the page due to permissions. When proxy in browser doesn't set, it works for http.
Old config in 3.2 not work at all. Squid can't start, say, "manager already set". My squid.conf was 200 kb due to comments. Well, clear version:
Code:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com

acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com # multiling http
acl wuCONNECT dstdomain sls.microsoft.com # SWAT
acl hlv dstdomain "/etc/squid/gs.txt"
acl   GoodComps src "/etc/squid/gc.txt"

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow CONNECT wuCONNECT localnet

http_access allow windowsupdate localnet

http_access allow hlv
http_access allow GoodComps
http_access deny all

icp_access allow localnet
icp_access deny all

http_port 3128 transparent

https_port 3128 transparent key=/etc/squid/key.pem cert=/etc/squid/certificate.pem

hierarchy_stoplist cgi-bin ?

cache_mem 1 GB

cache_dir ufs /var/cache/squid 8192 16 256

maximum_object_size 512 MB

coredump_dir /var/cache/squid

url_rewrite_program /usr/bin/squidGuard

url_rewrite_children 15

url_rewrite_access deny localhost
url_rewrite_access deny SSL_ports

refresh_pattern ^ftp:      1440   20%   10080
refresh_pattern ^gopher:   1440   0%   1440
refresh_pattern -i (/cgi-bin/|\?) 0   0%   0
refresh_pattern .      0   20%   4320

quick_abort_min -1 KB

range_offset_limit -1

And of course iptables rules:
Code:
# Generated by iptables-save v1.4.16.3 on Tue Feb 19 17:30:42 2013
*mangle
:PREROUTING ACCEPT [2085892933:1332602786724]
:INPUT ACCEPT [1055375193:702204536694]
:FORWARD ACCEPT [1029724121:630203068655]
:OUTPUT ACCEPT [1214883374:537016737047]
:POSTROUTING ACCEPT [2194084094:1164799323692]
COMMIT
# Completed on Tue Feb 19 17:30:42 2013
# Generated by iptables-save v1.4.16.3 on Tue Feb 19 17:30:42 2013
*nat
:PREROUTING ACCEPT [123368:9283729]
:INPUT ACCEPT [95312:5939063]
:OUTPUT ACCEPT [33085:2190534]
:POSTROUTING ACCEPT [903:78442]
:MINIUPNPD - [0:0]
[15564:764440] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
[75644:6208874] -A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Tue Feb 19 17:30:42 2013
# Generated by iptables-save v1.4.16.3 on Tue Feb 19 17:30:42 2013
*filter
:INPUT ACCEPT [5123341:4527601844]
:FORWARD DROP [114:5512]
:OUTPUT ACCEPT [5968890:1619465226]
:MINIUPNPD - [0:0]
[9424:1673166] -A INPUT -i lo -j ACCEPT
[404579:57419526] -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 21,22,80,443,1723,3128,10000 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 25,53,110,587,993,5190 -j ACCEPT
[5887:367969] -A INPUT -i eth0 -p udp -m udp -m multiport --dports 53,123 -j ACCEPT
[3:168] -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j DROP
[0:0] -A INPUT -i ppp0 -p tcp -m tcp -m multiport --dports 137,138,139 -j DROP
[0:0] -A INPUT -i ppp0 -p udp -m udp -m multiport --dports 137,138,139 -j DROP
[0:0] -A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP
[2417885:561406042] -A FORWARD -s 192.168.1.21/32 -i eth0 -j ACCEPT
[3545280:3070218779] -A FORWARD -d 192.168.1.0/24 -i ppp+ -j ACCEPT
[314262:15057257] -A FORWARD -s 192.168.1.32/32 -i eth0 -j ACCEPT
[12794:960244] -A FORWARD -s 192.168.1.19/32 -i eth0 -j ACCEPT
[5321:479643] -A FORWARD -s 192.168.1.25/32 -i eth0 -j ACCEPT
[0:0] -A FORWARD -s 192.168.1.35/32 -i eth0 -j ACCEPT
[0:0] -A FORWARD -s 192.168.1.5/32 -i eth0 -j ACCEPT
[7391:480286] -A FORWARD -s 192.168.1.2/32 -i eth0 -j ACCEPT
[1062:77458] -A FORWARD -i eth0 -o ppp0 -p tcp -m tcp -m multiport --dports 123,5190 -j ACCEPT
[4:304] -A FORWARD -i eth0 -o ppp0 -p udp -m udp -m multiport --dports 123,5190 -j ACCEPT
[447:182924] -A FORWARD -s 192.168.1.3/32 -i eth0 -j ACCEPT
[552:39598] -A FORWARD -s 192.168.1.18/32 -i eth0 -j ACCEPT
[248:37429] -A FORWARD -s 192.168.1.64/26 -i eth0 -j ACCEPT
[566:27793] -A FORWARD -s 192.168.1.27/32 -i eth0 -j ACCEPT
[107:12197] -A FORWARD -s 192.168.1.29/32 -i eth0 -j ACCEPT
[3527:366668] -A FORWARD -s 192.168.1.14/32 -i eth0 -j ACCEPT
[12708:1808586] -A FORWARD -s 192.168.1.30/32 -i eth0 -j ACCEPT
[23:1016] -A FORWARD -s 192.168.1.15/32 -i eth0 -j ACCEPT
[4234:396860] -A FORWARD -s 192.168.1.8/32 -i eth0 -j ACCEPT
[0:0] -A FORWARD -s 192.168.1.12/32 -i eth0 -j ACCEPT
[173:12652] -A FORWARD -s 192.168.1.6/32 -i eth0 -j ACCEPT
[8758:673910] -A FORWARD -s 192.168.1.28/32 -i eth0 -j ACCEPT
COMMIT
# Completed on Tue Feb 19 17:30:42 2013
Back to top
View user's profile Send private message
mungo_k
n00b
n00b


Joined: 01 Jun 2009
Posts: 42

PostPosted: Tue Feb 26, 2013 5:55 am    Post subject: Reply with quote

Can anyone help me with?
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Tue Feb 26, 2013 9:46 am    Post subject: Reply with quote

add a log target and monitor your firewall log.


Also, does it work from the router? (you can use use ssh -D9999 router, from a host on your LAN, then from your browser try to go to gmail using the socks proxy localhost:9999


Oh, just notice you have a transparent proxy configured, does the problem also happen when you configure your browser to use(explicitely!) this proxy?
_________________
The End of the Internet!
Back to top
View user's profile Send private message
mungo_k
n00b
n00b


Joined: 01 Jun 2009
Posts: 42

PostPosted: Wed Feb 27, 2013 2:04 pm    Post subject: Reply with quote

From server it works ok in any case - gmail opens easy.
The problem is only when browser on client machine is NOT configured to use proxy.
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Wed Feb 27, 2013 10:47 pm    Post subject: Reply with quote

Then, it's probably as you say in the beginning, something related to the MTU and the MSS, first, this should not happen if ICMP is not blindly dropped, but the problem might not come from your firewall(but check it anyway!), in that case, check iptables manual or the net for how to use the --clamp-mss-to-mtu, this should fix your problem hopefully!
_________________
The End of the Internet!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum