topic Re: Squid proxy // Problem in Operating System - Linux

Squid proxy // Problem

txtraz — Mon, 27 Jul 2009 04:29:29 GMT

All Concern,
Good Day.
My LAN user's are having problem while using squid proxy server. They can't ping external network (i,e:www.google.com)from the LAN. I want my LAN users will never get Internet connectivity for browsing without the proxy server but they must ping to the outer world.

How do i solve the problem.

My Configurations:
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl deny dstdom_regex "/etc/squid/squid-block"
http_access deny deny
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl NNC src 172.16.10.0/24
http_access allow NNC
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname NNC
coredump_dir /var/spool/squid

Regards;

Re: Squid proxy // Problem

Joseph L. Casale — Mon, 27 Jul 2009 23:04:05 GMT

You would solve that problem by proxying icmp with an application that can:) Squid is web proxy, not "any" protocol proxy.

Not knowing your network topology, I can't tell you how to do it. Your hosts wont instinctively send icmp through a configured proxy so you need to allow this on the default gateway they use. If that is in fact the proxy, and you redirect 80 into 3128, then you could also create iptables rules to masq icmp for them as well...

Re: Squid proxy // Problem

txtraz — Tue, 28 Jul 2009 08:12:43 GMT

Thanks for your response but i'm not clear what i've to do. Can you please let me know the specific in this regards.

It' will be very best for me if you let me know the step by step.

Thanks once again

Re: Squid proxy // Problem

Joseph L. Casale — Tue, 28 Jul 2009 10:23:49 GMT

I need more details about your lan.

How are you specifying the proxy to the clients?

What is the clients default gateway? What acts as your default gateway, is it a router, firewall, Linux server performing masquerading etc?

Re: Squid proxy // Problem

txtraz — Wed, 29 Jul 2009 02:32:32 GMT

Dood day.
Actually my proxy server is connected to a VLAN. There is 14VLAN in a Core Switch with intervlan routing. All traffic from different vlan are comming to my Proxy server via the core switch for Internet connectivity. All the VLAN's gatewate are connected to my Proxy Server with static routing.

Now i want all my LAN users will be able to ping outerworld (i,e; www.google.com) but they must not get internet with the proxy server.

Please help me in this regards..

Thanks.

Re: Squid proxy // Problem

Joseph L. Casale — Wed, 29 Jul 2009 03:37:07 GMT

Ok, so your clients all have their default gateway pointing to the switch, which uses static routes directed towards the squid server.

If your clients have an actual proxy config, such that the browsers specifically look for your squid server by ip, but have a different default gateway (the switch, which then goes where?) we need more info again.

You still haven't clarified whether or not your squid server is a transparent proxy as it could very well be in this situation. If it is which I suspect, you probably have an iptables rule to redirect 80/443 into 3128, correct? You can simply masq icmp with an iptables rule as well and perform nat. Any rule I write is likely not going to work without seeing your actual config. Post your iptables config with any sanitized private info.

Re: Squid proxy // Problem

txtraz — Wed, 29 Jul 2009 05:02:01 GMT

Please check the IPTABLES
----------------------------------

[root@proxy ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
[root@proxy ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[root@proxy ~]#