HPE Community
Operating System - Linux
1828667 Members
1624 Online
109984 Solutions
New Discussion

Squid proxy // Problem

 
txtraz
Advisor

‎07-26-2009 09:29 PM

‎07-26-2009 09:29 PM

Squid proxy // Problem

All Concern,
Good Day.
My LAN user's are having problem while using squid proxy server. They can't ping external network (i,e:www.google.com)from the LAN. I want my LAN users will never get Internet connectivity for browsing without the proxy server but they must ping to the outer world.

How do i solve the problem.

My Configurations:
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl deny dstdom_regex "/etc/squid/squid-block"
http_access deny deny
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl NNC src 172.16.10.0/24
http_access allow NNC
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname NNC
coredump_dir /var/spool/squid

Regards;
0 Kudos
Reply
6 REPLIES 6
Joseph L. Casale
Regular Advisor

‎07-27-2009 04:04 PM

‎07-27-2009 04:04 PM

Re: Squid proxy // Problem

You would solve that problem by proxying icmp with an application that can:) Squid is web proxy, not "any" protocol proxy.

Not knowing your network topology, I can't tell you how to do it. Your hosts wont instinctively send icmp through a configured proxy so you need to allow this on the default gateway they use. If that is in fact the proxy, and you redirect 80 into 3128, then you could also create iptables rules to masq icmp for them as well...
0 Kudos
Reply
txtraz
Advisor

‎07-28-2009 01:12 AM

‎07-28-2009 01:12 AM

Re: Squid proxy // Problem

Thanks for your response but i'm not clear what i've to do. Can you please let me know the specific in this regards.

It' will be very best for me if you let me know the step by step.


Thanks once again
0 Kudos
Reply
Joseph L. Casale
Regular Advisor

‎07-28-2009 03:23 AM

‎07-28-2009 03:23 AM

Re: Squid proxy // Problem

I need more details about your lan.

How are you specifying the proxy to the clients?

What is the clients default gateway? What acts as your default gateway, is it a router, firewall, Linux server performing masquerading etc?
0 Kudos
Reply
txtraz
Advisor

‎07-28-2009 07:32 PM

‎07-28-2009 07:32 PM

Re: Squid proxy // Problem

Dood day.
Actually my proxy server is connected to a VLAN. There is 14VLAN in a Core Switch with intervlan routing. All traffic from different vlan are comming to my Proxy server via the core switch for Internet connectivity. All the VLAN's gatewate are connected to my Proxy Server with static routing.

Now i want all my LAN users will be able to ping outerworld (i,e; www.google.com) but they must not get internet with the proxy server.

Please help me in this regards..

Thanks.
0 Kudos
Reply
Joseph L. Casale
Regular Advisor

‎07-28-2009 08:37 PM

‎07-28-2009 08:37 PM

Re: Squid proxy // Problem

Ok, so your clients all have their default gateway pointing to the switch, which uses static routes directed towards the squid server.

If your clients have an actual proxy config, such that the browsers specifically look for your squid server by ip, but have a different default gateway (the switch, which then goes where?) we need more info again.

You still haven't clarified whether or not your squid server is a transparent proxy as it could very well be in this situation. If it is which I suspect, you probably have an iptables rule to redirect 80/443 into 3128, correct? You can simply masq icmp with an iptables rule as well and perform nat. Any rule I write is likely not going to work without seeing your actual config. Post your iptables config with any sanitized private info.

0 Kudos
Reply
txtraz
Advisor

‎07-28-2009 10:02 PM

‎07-28-2009 10:02 PM

Re: Squid proxy // Problem

Please check the IPTABLES
----------------------------------

[root@proxy ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
[root@proxy ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[root@proxy ~]#
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.