I am trying to build transparent proxy with squid on OpenBSD 5.7 with pf firewall.
I compile squid from source with below options:
$ squid -v
Squid Cache: Version **3.4.13**
configure options:
--prefix=/usr/local/squid
--with-default-user=squid
--enable-icmp
--enable-storeio=ufs,aufs
--enable-removal-policies=lru,heap
--disable-snmp
--disable-wccp
--disable-wccpv2
--enable-pf-transparent
--enable-ipv6
--enable-referer-log
--with-nat-devpf
--enable-debug-cbdata
--enable-useragent-log
--enable-refererlog
--enable-cache-digests
--with-large-files
--with-pthreads
--without-mit-krb5
--without-heimdal-krb5
--without-gnugss
--disable-eui
--disable-auth
--enable-ltdl-convenience
$ uname -a
OpenBSD dns.localdomain 5.7 GENERIC#825 amd64
My squid.conf:
visible_hostname dns.local
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# allow
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 127.0.0.1:3129 intercept
# disk cache directory.
cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Enabled gateway to connect Internet:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
pf.conf:
int_if = "vic1"
ext_if = "vic0"
lan_net = "192.168.1.0/24"
# Settings
set block-policy return
set loginterface egress
set skip on lo
# NAT
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass in quick log on $ext_if inet proto tcp from 192.168.1.0/24 to port www divert-to 127.0.0.1 port 3129
pass out quick log inet from 192.168.1.0/24 divert-reply
#
# Rules
#
block all
# allow dns
pass quick on {$int_if, $ext_if} inet proto udp from {self, $lan_net} to any port 53
# allow local access to web
pass quick on $ext_if inet proto tcp from {self} to any port 80
# allow icmp
pass quick on $int_if inet proto icmp from $lan_net to any
# allow ssh from $ext_if
pass quick on $ext_if inet proto tcp from any to ($ext_if) port 22
I think problem in pf rule. Because pf can not divert packet to port 3129? I've tested with command:
nc -l 3129
but it didn't response any HTTP header.
The rule in Squid wiki can not apply to pf because syntax error.
Thank You in advance
Maybe you mean $int_if instead of $ext_if on this rule? :
pass in quick log on $ext_if inet proto tcp from 192.168.1.0/24 to port www divert-to 127.0.0.1 port 3129
As I understand, you want to divert traffic comming from internal network to local port 3129.
Related
I want to create a Private network in google compute platform where I will be able to enter only using a vpn.
So, I create a machine in GCE and I install openvpn. This machine has an static IP, the ssh port open and the default network configuration from GCE.
Then, I create a second machine (call it MachineA) , in the same network, but without external IP.
Then I create the route rule in order to redirect traffic from vpn-machine to another internal instances.
I'm able to connect from my machine to the vpn.
I'm able to ping to vpn machine.
I'm able to ping to MachineA.
I'm able to ssh to vpn machine.
I'm able to ssh to MachineA.
but...
When I connect to ssh vpn machine and run gsutil it works, also ping to 8.8.8.8
When I connect to ssh MachineA and run gstult or ping 8.8.8.8 does not work.
Any Idea what Im doing wrong ?
Some information
from VPN-machine
xxx#dev-vpn:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.240.10.1 0.0.0.0 UG 0 0 0 eth0
10.16.0.0 10.16.0.2 255.255.255.0 UG 0 0 0 tun0
10.16.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.240.10.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
xxx#dev-vpn:~$ traceroute 10.240.10.3
traceroute to 10.240.10.3 (10.240.10.3), 30 hops max, 60 byte packets
1 * * instance-1.c.project.internal (10.240.10.3) 1.188 ms
from MachineA
traceroute to 10.240.10.2 (10.240.10.2), 30 hops max, 60 byte packets
1 * * *
2 * * dev-vpn.c.project.internal (10.240.10.2) 0.899 ms
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.240.10.1 0.0.0.0 UG 0 0 0 eth0
10.240.10.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
In google networking I add this rule
vpn-routing 10.16.0.0/24 1001 None dev-vpn (Zone us-central1-a)
I have a working system that does this. The innovation I made was to add an alias IP range and make the OpenVPN server use that Google IP range.
So for a router instance, that has an external IP address and will run the OpenVPN server on GCE, you need to create the instance with just one interface and a small IP Alias range. This would then permit IP forwarding from the main interface to the small Alias range. Let's say you are on default network 10.156.0.10/20 and you have added an Alias range of 10.156.1.0/28, you then add as the server line in your OpenVPN server configuration: server 10.156.1.1.
So the tun0 interface of OpenVPN (server-side) will come up on 10.156.1.1 and the tunnel endpoint on 10.156.1.2.
You have to push the routes to the OpenVPN clients (so push 10.156.0.0/20 in the server configuration). You will also need iroute statements in the server's ccd/client.
Here's an excerpt from the OpenVPN server's configuration file:
server 10.156.1.0 255.255.255.240
push "route 10.156.0.0 255.255.240.0"
push "route 10.164.0.0 255.255.240.0"
push "route 10.132.0.0 255.255.240.0"
route 192.168.127.0 255.255.255.0
If your site network is 192.168.127.0/24 and you use 3 Google networks. The ccd/client file has this
route 192.168.127.0 255.255.255.0
iroute 192.168.127.0 255.255.255.0
And you may need to add others, if you have other routes. (There's a section in the OpenVPN manuals about ccd/ and iroute.)
Back on the Google cloud, you will need to add a Google route via the OpenVPN gateway on 10.156.0.10 to get back to 192.168.127.0/24.
And there's lots of firewalling that you should do to make your hosts safe, but you must at least open the 1194 port for OpenVPN.
On your site, if you want to access the Google Cloud private networks, you will need to use RIPd from Quagga. That's a relatively easy configuration:
router rip
network eth0
passive-interface tun0
no default-information originate
redistribute kernel route-map GMAP
access-list GCE permit 10.156.0.0/20
access-list GCE permit 10.164.0.0/20
access-list GCE permit 10.132.0.0/20
access-list GCE deny any
route-map GMAP permit 10
match ip address GCE
This is the RIPd configuration for the OpenVPN client gateway, which is a router. This configuration propagates any routes for the three Google Cloud networks 10.{156,164,132}.0.0/20.
The RIPd configuration on the other hosts in your site network doesn't require any special configuration, just name the "router rip" and the "network eth0", your host's network interface and start RIPd. (The configuration on the VPN client gateway should be easier than this, but I found that "no default-information originate" didn't work for me, so I had to just propagate the Google routes.)
I have installed CentOS 6.5
my default gateway in my infrastructure is 192.168.3.1 (which is firewall IP)
I wanted to change it to the CentOS server IP So that I can limit the usage of the Internet and monitor the Websites used in my network.
I dont want to setup proxy server setting in browser
Appreciate all :)
You have two options:
First option use iptables firewall and redirect trafic from port 80 to port 3128.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128
Second option configure squid to lisaning port 80 instead 3128
By default, Squid listens on port 3128. If you would like to use a different port, modify
/etc/squid/squid.conf
http_port 80
save
service squid restart
My machine L has only an IPv4 address.
I want to access a web page S from L through a VPS P2 that has only an IPv6 address.
I have a VPS P1 that has a single interface with two addresses: IPv4 and IPv6.
So the whole chain should be L(IPv4) -> P1(IPv4) -> P1(IPv6) -> P2(IPv6) -> S(IPv6)
I have installed Squid 3.3.8 on each VPS (running Ubuntu).
Here is the configuration of P1:
http_port 3128
cache_peer 2001:XXXX:XXX:XX:XXX:XXXX:XXXX:66bc parent 3128 0 no-query no-digest default
never_direct allow all
Here is the configuration of P2:
http_port 3128
http_access allow all
I get this error: HTTP/1.1 403 Forbidden. It appears that there is a problem in P1(IPv4) -> P1(IPv6) or in P1(IPv6) -> P2(IPv6). The latter is more likely, I guess. How can I fix this?
Notes:
I know I can access S directly from P1. I tried it (by using http_access allow all instead of never_direct allow all). It works. But this is not what I want.
I don't care about security now (e.g., setting restrictive ACLs).
The problem was in the configuration of P1. I should have maintained http_access allow all:
http_port 3128
cache_peer 2001:XXXX:XXX:XX:XXX:XXXX:XXXX:66bc parent 3128 0 no-query no-digest default
never_direct allow all
http_access allow all
so I'm trying to create a proxy server for my crawler to use, and I'm unsure about why I'm getting denied from even myself. When I go to any website in a browser, on the computer that I've installed Squid and everything on, it's giving me the following error message:
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://www.whatismyipaddress.com/
The following error was encountered:
Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
Your cache administrator is webmaster.
Generated Sun, 08 Nov 2015 04:03:13 GMT by WIN-AIUOBK0JHPA (squid/2.7.STABLE8)
I've edited my LAN settings in Internet Options to allow for a proxy server at the correct IP address (IPv4 when I run ipconfig), gave it the correct port to open up to, and I've also opened up the port in my Windows Firewall.
Below are segments of my squid.conf file:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl localhost src 192.168.1.0/255.255.255.255
http_access allow localhost
(skip through some commented out segments....)
http_access allow manager localhost
http_access allow localnet
As you can tell, I've stripped out a lot of unnecessary commented parts. Down lower, I have my...
http_port ####
...line.
I have no idea why I'm getting blocked out. I will be constantly refreshing, so if you need any more information or have any questions, please let me know. Thank you so much!!
your config should somewhat look like below
http_access allow localhost
http_access allow localnet
# And finally deny all other access to this proxy
http_access deny all
and remove the following line from your config
acl localhost src 192.168.1.0/255.255.255.255
localhost need not to be specified as ACL its just for accessing localhost pages. You have mixed up localhost with localnet, modify that line like below
acl localnet src 192.168.1.0/255.255.255.255
your lan clients local ip that hitting the proxy should belong to the above mentioned src range or modify the range as you require. all other requests from other ips will be denied
I just got rid of all the default config and used the following:
# cat /etc/squid/squid.conf
http_port 3128
acl vpc_no_internet src 10.130.0.0/255.255.0.0
http_access allow vpc_no_internet
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
Note: The above config allows access for the specified subnet only.
I had a similar situation and the solution was to use the following commands:
unset https_proxy
unset http_proxy
unset ftp_proxy
I placed these into a script to run every time I logged in to my server.
This may not be the correct solution for you but it worked in my situation as I wasn't using the proxy and was connecting via vpn.
The only reason I am posting this is I haven't seen this answer posted anywhere else. As usual, YMMV.
I have 3 virtual machines. I have Squid proxy installed on one of them which functions as a router. I need to configure it to accept HTTP requests from only one of the other 2 machines(IP - 172.16.2.2). The change I made to the squid.conf file is:
http_port 172.16.2.2:3128
I then changed the firewall rule in the route machine so that it redirects traffic from 172.16.2.2 bound for 80 (HTTP port number) to the default squid port 3128. The command is given below:
sudo iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
Machine 172.16.2.2 is connected to the router on eth1. However, whenn I am making sending a HTTP request from 172.16.2.2, I get a 403 Forbidden error. It says:
X-Squid-Error: ERR_ACCESS_DENIED 0
I can't understand it. Please help.
(edited for style)
http_port is used to configure where squid is listening for request, so if you include an ip address, it should be configured in the same machine that is listening. So, in your case 172.16.2.2 (the "other" machine) is not a correct configuration.