Overview of what you are needing:
* For all Squid ports receiving traffic via rules in iptables "nat"
table, you require "intercept" flag.
* For ports expecting to need decryption of SSL/TLS you need ssl-bump
Squid-3.3 can intercept both port 80 and 443. Although there are
limitations on port 43 interception which can easily be described as
"not working" if you don't understand what the interception is actually
doing.
... so please describe in details what you mean by "dont work".
Amos
On 8/06/2013 1:41 a.m., MyName IsLive wrote:
> Hi,
> this is the log after i run those iptables rule and those changes in squid.conf:
>
> 1370611784.763 2407 192.168.4.99 TCP_MISS/200 1376 GET http://www.facebook.com/ - HIER_DIRECT/31.13.86.8 text/html
> 1370611784.790 0 192.168.4.99 NONE/400 3972 NONE error:invalid-request - HIER_NONE/- text/html
> 1370611801.238 0 192.168.4.99 NONE/400 3972 NONE error:invalid-request - HIER_NONE/- text/html
>
> i just add https_port 3127 "intercept" ....
>
> and for normal http connection i dont have a stable connection randomly works or not work!!
>
> 1370611744.028 2358 192.168.4.99 TCP_MISS/304 395 GET http://l2.yimg.com/nn/lib/metro/p2.gif - HIER_DIRECT/66.196.65.188 -
> 1370611744.034 2361 192.168.4.99 TCP_MISS/200 1555 GET http://l2.yimg.com/dh/ap/default/130507/twitter-sprite_desktop.png - HIER_DIRECT/66.196.65.188 image/png
> 1370611744.684 2432 192.168.4.99 TCP_MISS/200 1560 GET http://ad.yieldmanager.com/imp? - HIER_DIRECT/217.163.21.41 application/x-javascript
>
> 1370611755.711 2419 192.168.4.99 TCP_MISS/301 573 GEThttp://hsrd.yahoo.com/_ylt=AtxMHaLUD5AnwWofb8kKFvabvZx4;_ylu=X3oDMTJycjUzcHE1BGNwb3MDMARnA2lkLTMzMjYxMDYEaW50bAN1cwRsdHh0A01lbCBCcm9va3MEcG9zAzIEc2VjA3RjLXRzBHNsawN0aXRsZQR0ZXN0AzkwMAR3b2UDMTI3MjM4NjQ-/RV=1/RE=1371821336/RH=aHNyZC55YWhvby5jb20-/RO=2/RU=aHR0cDovL3NlYXJjaC55YWhvby5jb20vc2VhcmNoP2NzPWJ6JnA9TWVsJTIwQnJvb2tzJmZyPWZwLXR0cy05MDAmZnIyPXBz/RS=%5EADAIOfP8qyIhCUF7TQ9B0kysUTI99I-- HIER_DIRECT/98.139.180.157 text/html
>
>
> thanks you
>
>> ----------------------------------------
>>> From: npf-mlists_at_eurotux.com
>>> To: squid-users_at_squid-cache.org
>>> Date: Fri, 7 Jun 2013 11:53:34 +0100
>>> Subject: Re: [squid-users] squid 3.3.5 http and https transparent proxy
>>>
>>>
>>>
>>>> in /etc/sysctl.conf ipforwading is enabled.
>>>>
>>>> and for iptables:
>>>> iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.4.96:3128
>>>> i added these two rules work well for http, i tried many rules for https non them works!
>>>>
>>>> Please check squid configuration if its okay please give me the firewall rule
>>>>
>>>>
>>>> thank you very much
>>>
>>>
>>> Hello,
>>>
>>> Change
>>>
>>> http_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
>>>
>>> to
>>>
>>> http_port 3128 intercept
>>> https_port 3127 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
>>>
>>> And add do:
>>>
>>> iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.4.96:3128
>>>
>>> iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.4.96:3127
>>> iptables -I INPUT -p tcp -m tcp --dport 3127 -j ACCEPT
>>>
>>> Does it work after that?
>>>
>>> ./npf
Received on Fri Jun 07 2013 - 14:29:52 MDT
This archive was generated by hypermail 2.2.0 : Fri Jun 07 2013 - 12:00:06 MDT