Re: [squid-users] Forwarding loop on squid 3.3.8

From: James Michels <karma.sometimes.hurts_at_gmail.com>
Date: Wed, 6 Aug 2014 17:03:08 +0100

Ok, but if NAT is expected on the Squid box exclusively, how do I
redirect all the outgoing traffic sent over the port 80 from a client
to another box (concretely the one where Squid runs) without using
such NAT?

I thought packets were not mangled over the same network unless
specifically done via iptables. Does that mean that squid3 box
currently has trouble resolving the host domain, i.e. google.com and
therefore tries relying through the original packet's IP? Seems to
resolve it via the 'host' or 'ping' commands.

Thanks

James

2014-08-06 14:52 GMT+01:00 Amos Jeffries <squid3_at_treenet.co.nz>:
> On 7/08/2014 1:26 a.m., Karma sometimes Hurts wrote:
>> Greetings,
>>
>> I'm trying to setup a transparent proxy on Squid 3.3.8, Ubuntu Trusty
>> 14.04 from the official APT official repository. All boxes including
>> the Squid box are under the same router, but the squid box is on a
>> different server than the clients. Seems that for some reason the
>> configuration on the squid3 box side is missing something, as a
>> forwarding loop is produced.
>>
>> This is the configuration of the squid3 box:
>>
>> visible_hostname squidbox.localdomain.com
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> http_access allow all
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access allow localhost
>> http_access allow all
>> http_port 3128 intercept
>> http_port 0.0.0.0:3127
>>
>> This rule has been added to the client's boxes:
>>
>> iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
>> 192.168.1.100:3128
>
> Thats the problem. NAT is required on the Squid box *only*.
>
>>
>> 192.168.1.100 corresponds to the squid3 box. In the log below
>> 192.168.1.20 is one of the clients.
>
>
> When receiving intercepted traffic current Squid validate the
> destination IP address against the claimed Host: header domain DNS
> records to avoid several nasty security vulnerabilities connecting to
> that Host domain. If that fails the traffic is instead relayed to the
> original IP:port address in the TCP packet. That address arriving into
> your Squid box was 192.168.1.100:3128 ... rinse, repeat ...
>
> Use policy routing, or a tunnel (GRE, VPN, etc) that does not alter the
> packet src/dst IP addresses to get traffic onto the Squid box.
>
> Amos
Received on Wed Aug 06 2014 - 16:03:17 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 06 2014 - 12:00:04 MDT