Software :: Squid 3.0 Access List / Remove Redirect Statement From Iptables All Internet Access Is Blocked?
Jun 11, 2010
I have an old FC2 box running Squid version 2.5. It has been running since 2003 so I am in the process of replacing it. I have a new machine with FC11, iptables, and Squid 3.0 installed.
On the old machine I use iptables to intercept Port 80 traffic and send it to Squid. By default I block all internet access and allow only sites that are in an Allowed_Sites.txt file. Within Squid I also have statements to allow certain users to bypass Squid based on their IP address.
I have set up the same thing on the new box. I have iptables intercepting the Port 80 traffic and sending it to Squid. That is working because if I remove the redirect statement from iptables all internet access is blocked.
The problem I am having is that Squid is not blocking any websites. It acts like the ACL is set to http_access allow all. I have worked on this for several hours and am stumped.
These are my Squid rules:
acl allowed_sites url_regex "/etc/squid/Allowed_Sites.txt"
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow Bypass_Users
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.1.0/24
http_access allow allowed_sites
http_access allow our_networks
http_access deny all
icp_access deny all
htcp_access deny all
http_port 192.168.1.254:3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname FC11.proxybox
icp_port 3130
coredump_dir /var/spool/squid
View 2 Replies
ADVERTISEMENT
Sep 23, 2010
I have configured my squid that have a limited access to websites but still some website were accessable vis https so I removed transparent from squid. Now what changes do I have to make in iptbles
View 1 Replies
View Related
Nov 29, 2010
I connect to the internet at work through an authenticating proxy, and to avoid having to enter the proxy info into every app I use (e.g. firefox, wget, kde, etc) I have set up squid as a local transparent proxy which authenticates and routes all traffic to the work proxy. It has been working fine, but lately I haven't been able to connect to any https sites. I don't think I have changed the configuration, so perhaps it is the result of an upgrade, or something badly configured on my system from the start. I have tried connecting to https sites without squid and iptables and it works fine. My system is Arch linux, and my squid.conf file is: Code:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
[Code]....
View 2 Replies
View Related
Feb 10, 2011
I've set up Ubuntu 9.04 (desktop) at home in a lab environment (workgroup rather than domain) and have configured Squid. Everything works fine but, when I took it to the next level and made the proxy transparent, my problems began. I can still access sites (having pointed the XP Pro client to the squid box as the DG) and the sites are logged in /var/log/squid/access.log but I am unable to use Outlook to access my SMTP and POP3. I guess that the setup is blocking ports 25 and 110 and I'll need to configure iptables to forward packets destined for these ports directly to the "real" DG, rather than the Squid box. Here's the set up:
A single NIC (eth0) on 172.19.0.250 / 16 (static) ADSL router ("real" DG) on 172.19.0.1 I executed iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 My squid.conf:
Code:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl mynet src 172.19.0.0/16
[Code]....
View 6 Replies
View Related
Aug 24, 2010
I am using Redhat 5.3 , I configured well access list using IP address, but my customer want to access list on MAC address basis.
View 2 Replies
View Related
Jan 13, 2010
We host a web server in which we are hoping to implement some form of traffic redirection based on source IP address, and I am wondering whether the squid proxy built on iptables would be capable of managing this task? Essentially we are trying to redirect traffic from specific set of source IP ranges to a "Your IP has been restricted" type of page at a different IP/FQDN.
View 2 Replies
View Related
Dec 30, 2010
I am using internet web control through squid... All is working fine only some little bit issues.
(1) Sometime when i tried to open google.com or any site I got message (The requested URL could not be retrieved) Screen Shot Attached.) but again after sometimes same websites will open.
url
(2) I would like to block word 'sex'.. So I have edit squid.conf with the following acl
acl Blockword url_regex sex
http_access deny Blockword
but problem occur in some websites where 'sensex' word found in url. Then squid block 'sensex' url content website also..
View 2 Replies
View Related
Apr 28, 2010
Centos 5.4 distro using on remote machine. I have remote site where internet access given via squid proxy. So when we enter in browser it start working internet fine. But on command line (bash shell prompt terminal) like wget, ping, nslookup, traceroute etc., these commands does not work.
View 6 Replies
View Related
Jul 24, 2010
I've a SQUID proxy server installed in SUSE 9.0 ES server. I've created cache dirs on seperate partitions for better caching. Its working fine. But since last 15-20 days, i've experienced very slow net access to clients. I've gone through the /var/log/messeges file, it generates a two line error messeges
client read request fd602 invalid request
parse http request: unsupported method;HET
This messege increases as the number of clients increates (for internet access). The apperance of error messege lowering down as soon as the number of clients reduces.
As the count of clients increases error messeges increases, internet access getting slower and slower.
View 1 Replies
View Related
Apr 4, 2010
Slow access to web site using squid and Internet explorer.I am trying to troubleshoot an issue I am stuck on. We have a website that is loading .htm documents extremely slow when using Internet Explorer 8 behind Squid. When we bypass the proxy and go directly out to the internet all is fast and pages load fine.But when the proxy is on documents will take sometimes up to 6 minutes to load.This issue is only apparent using Internet explorer 8.I do not see the issue when using firefox with Squid.I have tried to use the no_cache directive thinking it may have been the cache but that didn't work either.I am attaching our access.log, store.log and squid.conf.
View 2 Replies
View Related
Jan 24, 2010
I'm running an own PPTP Server, but I can't get it to access the internet. All my PCs at home run in the 192.168.0.0/24 net, the PPTP Server has local IP192.168.0.5 and remote IP 192.168.0.80-99. The router to the internet is at 192.168.0.1, and the IP of eth0 on the machine where the pptpd runs is 192.168.0.4. I want to be able to connect to the internet trough that VPN and access my local LAN servers (which works fine so far). I can ping internet and local IPs successfully, but can not access them with a browser, or connect to them in any other way. I have 'accepted' all in/output and forwards.
I am running a Squid proxy on the same machine, and if I do:
iptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -s 192.168.0.0/24 -p tcp --dport 80 --to-port 3128
I can access the internet through Squid, but of course Jabber/ICQ etc. Won't work then because it just refers port 80. But I want the PPTP Clients to connect to the internet directly, if I don't use that rule it's not possible to load any pages. But pinging works all the time. DNS is also working fine, but I can't even access webpages via IP directly. How can I allow the PPTP IPs 192.168.0.80-99 to get direct access to the Internet with Iptables?
View 3 Replies
View Related
Jun 16, 2009
I have installed debian to run Squid cache as a caching proxy.
Ive been bashing away now for 2 days and i have managed to install squid (i first tried manually, but that did not work so i used synaptic software packager to install it (from Administration menu)
That went well, thereafter i installed webamin to work with squid in a GUI
I have managed to start squid and added my range of IP addresses to the ACL list
I have added the proxy restriction too.
Now, i tried to test it.
I opened Iceweasel Web browser (on the same machine) and setit to use the Proxy server: localhost and port:3128
That works fine.
But when i try to change the proxy setting to my machines ip (where squid is installed) :
Proxy server: 10.0.0.35 and port:3128
That does not work.
Am i missing something, please help
I then tried to set another windows PC on the network to:
Proxy server: 10.0.0.35 and port:3128
That also does not work.
I also edited the conf file to http_access allow all, but i do not know if i have doen it correctly, but maybe there is another problem?
View 1 Replies
View Related
May 31, 2011
I am using Squid Server from last 5years. There is a site "http://www.firstflight.net", which was accessible before few days but now I am unable to access this site. If I use IE8 then getting below error:
"Internet Explorer cannot display the webpage"
Or using Google chrome getting error:
"This webpage is not available The webpage at http://www.firstflight.net/ might be temporarily down or it may have moved permanently to a new web address. Error 330 (net::ERR_CONTENT_DECODING_FAILED): Unknown error."
But other sites are working fine..
View 3 Replies
View Related
Feb 6, 2010
I am trying to configure my Linux router to restrict Internet access for one computer on my LAN. It needs to be restrictive based on the time of day and the days of the week. I am using the MAC address of the computer to single out the one computer that needs to be blocked. However, this is my first attempt at making any rules with iptables, and I am not sure if I am doing this right. If some one can take a look at this I would greatly appreciate it. This is what I have done so far.
Here is my thinking. Create a new target. Check the MAC address, if it is NOT the offending computer return to the default chain. If it is the offending computer check that we are between the allowed hours and dates and ACCEPT. If we are not within the time/date range then drop the packet.
Code:
Here I am trying to route all packets regardless of the computer on the LAN into the blocked_access chain for checking.
Code:
Is it a good idea to route all traffic through the blocked_access chain? I do run other servers that are accessible from the Internet, so I am not sure how this setup will affect that. I also use shorewall on the router to setup iptables for me. How would I integrate this with shorewall?
I am using squid to block access when he is using the web browser. However, he is still able to play games(World of Warcraft) and the like.
I am using Debian sid, iptable(1.4.6), shorewall(4.4.6), kernel 2.6.32-trunk-686.
View 7 Replies
View Related
Oct 20, 2010
LinuxA & LinuxB
linuxA:eth0(10.1.1.1) connected linuxB:eth0 (10.1.1.2)
linuxA:eth1(202.1.20.45) connected internet
[code]....
View 2 Replies
View Related
Aug 26, 2010
I have a linux box (fedora) with two ethernet cards eth1 and eth2. On eth1 I successfully configured a PPPOE internet connection. Such that from the server I can browse the internet. On eth2 I wired it to a wireless router essentially to provide the wireless cloud. On eth2 I also configured dhcp, such that the Linux box is both PPPOE and DHCP server.However my clients on the LAN cannot access the Internet.
On passing the routing command I get
Destination Gateway Iface
196.44.x.y 0.0.0.0 ppp0
192.168.1.0 0.0.0.0 eth2 (my subnet)
0.0.0.0 0.0.0.0 ppp0.
The router (functioning as a wireless access point mainly) has a fixed IP address of 192.168.1.2 and eth2 has IP address 192.168.1.1. The dhcp file running on Linux has been set with option router (Gateway) 192.168.1.1. I cannot figure out how to correctly set the routing table such that my clients on wireless can access the internet cloud. I googled and googled but no solid solution. Any suggestions?
View 3 Replies
View Related
Dec 29, 2010
I am using squid to controlling access to the internet all is working fine expect one of the user who is using outside organization portal to connect internet. But whenever he tries to enter in the portal by typing (EXAMPLE)url. Permission denied error from squid occur.
How can i allow this portal in squid. So squid will allow this to access.
View 1 Replies
View Related
Aug 26, 2010
I installed 11.3amd64 as a VM under Vista/VMWare Player - all worked fine. I have now installed it as a physical system. It nstalled cleanly BUT during first boot it could not access the repos. With each repo it gave the message
- download (curl) error for (repo)
- error code connection failed
- error message could not resolve host (repo)
This was followed by a message box containing
- UI syntax error
- no widget with ID 'contents
Firefox could not access the internet (cannot find server) until I disabled IPV6 (I used about:config), now it works fine. I think the repos problem is because of IPV6 - I usually have trouble with IPV6. I tried disabling IPV6 with the following (How To Disable ipv6 on SuSE Linux | Linux Poison)
[code]......
View 8 Replies
View Related
May 18, 2010
I can't seem to remotely SSH or VNC into my machine. If I'm on the LAN and try accessing via LAN IP, it works fine. If i go in through a remote address (my dyndns) or even my home IP, I can't connect (yes, all of the ports are forwarded, I've triple checked this multiple times). Interestingly enough, port 80 works just fine. It would seem as though some sort of firewall is blocking me. I've done this plenty of times before with various machines, and this has me quite perplexed.
View 9 Replies
View Related
May 27, 2009
We have a sipmle office network set up that we also use use to connect to the internet, however of late the number of users has increased thus slowing internet access. Bandwidth upgrade is not an option thus i have to do bandwidth shaping on our linux router. The question is how do set the squid configs to allow certain IP's range a certain percentage bandwidtheg 60% and furthe divide the rest. Alternatively how can allow certain IPs to have higher bandwidth access.
View 1 Replies
View Related
Dec 31, 2010
I managed to configure my W890i phone to get access to internet through an ubuntu-based computer. It's very easy to use the phone to give internet access to the computer, but the opposite is quite more tricky. For that I've done the following
----On the phone---
-Set the USB network option to "through computer", so that the phone uses the computer's internet connection and not the opposite.
-Decide and set "Shared Network" parameters: user, pasword and workgroup.
-In "conectivity-> internet connection" set "allow local network" to "yes"
----On Ubuntu 10.04---
-Install samba, samba-client, smbfs, smbclient, firestarter and dhcp3-server
-Configure Samba (System-> Administration-> Shared folders): same workgroup as in the phone, add new user (the phone), passwd this new user. In my case the user was called "w890i" and the password given was the same.
-Once the phone is connected to the computer through USB (then select "phone mode"), a new connection appears in NetworkManager: usb0.The aim is to create a shared network that gives internet access to this device. Edit the IPv4 parameters of this new connection, set them to Manual and give an IP adress (192.168.0.1) and a subnet mask (255.255.255.0); the rest of the fields are left empty.Connect this network.
-Set firestarter to use dhcp3: sudo ln -sf /etc/init.d/dhcp3-server /etc/init.d/dhcpd
-Launch firestarter and follow the wizard. Set "allow internet shared connection", choose the device for the primary internet access, and then the device for the shared network (usb0). Then change the settings for firestarter: activate DHCP for local network, set IP to the one we gave before (192.168.0.1).
-Open dhcp3-server config file sudo gedit /etc/default/dhcp3-server And set INTERFACES="usb0"
-Set the policies of firestarter: in incoming connections, allow connections from the IP adress given to the phone (192.168.0.1). Then add rules for the ports that need to be open for this connection. I opened HTTP, HTTPS, SMB, SMTP, POP3, IMAP, IMAPS, DHCP for all the connections in the local network.
-Apply policies and start the firewall.
------------
After all this, the phone can access the internet through the computer. Two problems appeared:
1. I couldn't get access to https sites, like webmails. The phone gave a "communication error". But then I tried with Opera instead of the browser built in the phone's firmware, and I could finally get to https sites.
2. I couldn't retrieve mail, neither POP nor IMAP nor IMAPS. I thought it was a firmware problem again, and I tried out several mobile phone email clients written in java, but none of them worked.
So this is at the moment the problem. If I connect from the phone to the internet directly through 3G, the email clients work for all my accounts. I don't think it's a firewall problem, because the ports are opened for this connection
View 3 Replies
View Related
Jul 6, 2011
I connected my laptop running with Ubuntu 11 in the LAN but I couldn't access internet.But I could ping to the other computers connected in the LAN. I tried the same thing with windows 7 in the same laptop and I could access internet.
View 1 Replies
View Related
Sep 17, 2010
I don't know is this the right place to ask, but i must ask some questions Here's my problem.I'm a student in highscool,and here we use Linux(ubuntu) OS .Every classroom has like 30 PC's connected with the main computer(the teacher's one) so....3 days ago we were forbidden access to some websites it says This domain is Blocked.By the way the Linux version installed is 7.04(feisty Fawn) i tried disable cookies that did not worked,also tried to whitelist some website,that also didn't worked out
View 7 Replies
View Related
Mar 12, 2011
We want apache to server and load our website Only for One specific sub-domain and all other domains should be ignored/dropped or redirect.
View 2 Replies
View Related
Jan 14, 2011
is this possible on 2 Linux boxes will act as a INTERNET Firewall + Filtering: 1st PC = CENTOS 5.5 functions as a firewall using iptables with two NICS 1=ETH0 connected to internet with a public ip and 1=ETH1 with ip address of 10.0.0.1 connected to the 2nd PC Centos 5.5 with squid/dansguardian with ip address of 10.0.0.2
2nd PC = Centos 5.5 functions as a squid + dansguardian internet filtering with 2 NICS 1=ETH0 with ip address of 10.0.0.2 connected to the ETH1 of the 1st PC with ip address of 10.0.0.1 and 2nd ETH1=connected to LAN (172.16.1.0/24)
does this make sense? this might be confusing but I just want to try this, to protect incoming ssh from our previous Sys admins who intended to enter the LAN 172.16.1.0/24 network. And also to confuse them that they have to pass through 10.0.0.1 - 2.
View 3 Replies
View Related
Nov 21, 2010
I am in China, where some web sites(....., facebook, etc) are blocked. So I have to access these blocked site by VPN. But how can I access blocked sites by VPN and unblocked sites by my direct ADSL?
View 2 Replies
View Related
Aug 12, 2011
I have a vps server running certain services which can be accessed via a web browser (e.g webmin control panel), but I have recently been unable to access these services from my home machine using Firefox 5.0, running ubuntu 11.04.
Example:
I can access the server on port 80 fine, eg: [URL]
However I cannot access my webmin control panel on: [URL]
The pages takes ages to load and then times out. Same with transmission-daemon on: [URL]
Everything is set up fine on my server, the ports are open in firewall etc. and I can access these pages fine from my work computer.
This has only started happening in the last day or two and had been working fine up till then. I have not messed around at all with the firewall on my home machine. I have tried other browsers besides Firefox with same result.
View 4 Replies
View Related
Jun 14, 2010
i have the following ip assignments
fedora (iptables)
eth0 -private :192.168.1.1
eth1 -public : 186.117.50.6
squid proxy
192.168.1.10:3128
my clients range
192.168.2.0/24
how can i make my clients to browse internet only from proxy server my network is NAT 'ed. Please specify a iptable rule to allow internet access for my clients to browse ONLY if they come through proxy server.
View 1 Replies
View Related
Sep 30, 2010
I got two web apps in my single linux box, they are Wiki and Mantis the screenshot of the web apps directory shown below.I have created the DNS CNAME record for this server which point to the main server SV6.somehow i got error after i edit it and restart the Apache server.
View 2 Replies
View Related
May 24, 2011
i m using squid for internet sharing, i am facing problem while accessing public ftp, therer is no problem in accessing local ftp, but if try to access public ftp like ftp://125.125.20.2 i am getting error
' An FTP authentication failure occurred while trying to retrieve the URL: ftp://125.125.20.3/
Squid sent the following FTP command:
PASS <yourpassword>and then received this reply User anonymous cannot log in.Your cache administrator is root.'
if i try to access local ftp ' ftp://10.185.200.12' getting no error
View 1 Replies
View Related