Squid not working as transparent pxoxy, help!

[tsuki]

Hello this is my fist entry here in FreeBSD recently just changed from Debian because we had to work on some apliances, and its just easier and we are all happy with this, we needed to create a serverbox to act as a router, and have squid in it so it filter the computers on our lan.

We have internet access on the lan now and the proxy seems to work when we put it on the browser (manually)
its just not doing it transparent at all and we dont want to do this manually on all computers

hope someone can help this is our configuration files:


we have done.

1. enabled root access via ssh.
modify file /etc/ssh/sshd_config with the entry of

PermitRootLogin yes

2. enable bridge
modify file /etc/rc.conf with

cloned_interfaces="bridge0"
ifconfig_bridge0="addm bge1 addm bge0 up"

3. enable bridge with sysctl values
modify file /etc/sysctl.conf with

net.inet.ip.forwarding=1

4. modify /boot/loader.conf with

if_bridge_load="YES"

With this we created the firewall part and are our gateway just works..

Now this is the squid conf:

##########################
http_port 3128 transparent
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 128 MB

maximum_object_size 80000 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_dir diskd /usr/squid 28000 32 512 Q1=72 Q2=64

log_fqdn off
dns_nameservers 67.138.104.249

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern .        0    20%    4320

#next, remove
acl localnet src 192.168.211.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 210 1025-65535 280 488 591 777
acl CONNECT method CONNECT
acl all src 0.0.0.0/0.0.0.0

#blacklist acl
external_acl_type eatFilter children=2 %URI /opt/squidacl/bin/filter /opt/squida
cl/data/blacklist
acl aeFilter external eatFilter
http_access deny aeFilter
deny_info [url]http://blocked.saintapp.com[/url] aeFilter

http_access deny !Safe_ports

http_access allow localnet
http_reply_access allow all
visible_hostname localhost

#http_access allow all
coredump_dir /usr/local/squid/cache

And this are our ipfw config : ( on debian we did iptables just to route the lan ips to port 3128 I'm not sure what will work on BSD)

00100 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in recv bce1
00200 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 in recv bce1
65535 allow ip from any to any

Please can someone tell me whats wrong in here.

 

[tsuki]

Still no luck

Someone some hint, I installed v 3.1 and changed some of my ipfw rules, and I am getting very frustated now there is a lot of tutorials but they all follow something diferent have tried all of the top ones and no luck.

 

[AndyUKG]

Have you dug up any how to´s? ie:

http://www.freebsdonline.com/content/view/346/355/

 

[tsuki]

No luck

Actually the link you passed gave me was the first configuration we tried and no luck, it works if on a LAN computer we input the proxy manually into the browser but its not transparent.

 

[tsuki]

ipfw not working

I dont know if i should move this post to another topic, the ipfw tables I created are not working how can I test that the LAN computers are really passing through my squid proxy

 

[AndyUKG]

Use tcpdump for basic are packets passing through the server test, for squid check the squid access log?

 

[tsuki]

Not passing through the ipfw rules

I appreciate your help Andy, I ran [CMD="tcpdump"][/CMD]and did not found the 3128 port for squid also there was nothing on the squid access log, I just cant find what is wrong, this exact configuration I had in a Debian server and it worked like a charm..

I'll keep messing around to see what else could give me a hint to the issue.

 

[AndyUKG]

Here is some more info:

http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdIpfw

Includes how to setup ipfw and also mentions that you need to ensure that you compile squid with the transparent proxy option....

 

[AndyUKG]

Just had a quick look, in ports the squid package has no transparent option for IPFW (it supports PF and IPFILTER). However there is a newer version, squid30, that does include as an option IPFW so maybe you should give that a go...??

 

[tsuki]

Well I did what you suggested although the installation for squid 3.1 was not so simple we got hell of a lot of warnings but managed to configured it correctly, the transparent mode its still not working :x , this is what we have changed:

installed squid 3.1 from ports [CMD="./configure --enable-ipfw-transparent"][/CMD]

reconfigured squid.conf :

http_port 3129 transparent

#http_port 127.0.0.1:3129 transparent

icp_port 0

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_mem 128 MB



maximum_object_size 80000 KB

ipcache_size 1024

ipcache_low 90

ipcache_high 95

cache_dir diskd /usr/squid 28000 32 512 Q1=72 Q2=64



log_fqdn off

logfile_rotate 10



dns_nameservers 67.138.104.249



auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp:        1440    20%    10080

refresh_pattern ^gopher:    1440    0%    1440

refresh_pattern .        0    20%    4320



#next, remove

acl localnet src 192.168.211.0/24

acl localhost src 127.0.0.1/32

acl to_localhost dst 127.0.0.0/8



acl SSL_ports port 443 563

acl Safe_ports port 80 21 443 563 210 1025-65535 280 488 591 777

acl CONNECT method CONNECT

#acl all src all



#blacklist acl

external_acl_type eatFilter children=2 %URI /opt/squidacl/bin/filter /opt/squidacl/data/blacklist

acl aeFilter external eatFilter

http_access deny aeFilter

deny_info http://blocked.saintapp.com aeFilter



http_access deny !Safe_ports



http_access allow localnet

http_reply_access allow all

visible_hostname localhost



#http_access allow all

coredump_dir /usr/local/squid/cache

Note that some tutorials advice to put some configurations this are the ones I have tried:

http_port 3128 transparent

http_port 3129 transparent

http_port 127.0.0.1:3128 transparent

http_port 127.0.0.1:3129 transparent

http_port 3128 intercept

http_port 3129 intercept

http_port 127.0.0.1:3128 intercept

http_port 127.0.0.1:3129 intercept

by far none have worked

Also I followed this : http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdIpfw
and created the rc.firewall.local script
and added the path in /etc/rc.conf
under [CMD="firewall_type="path_to_myscript""][/CMD]

right now i'm really confused tcpdump is not showing the port even when I place the proxy manual on the client browser..

Any ideas on what is wrong or where should I keep looking, I think the problem is in the gateway configuration :

cloned_interfaces="bridge0"
ifconfig_bridge0="addm bge1 addm bge0 up"

But I'm not sure... :\

Thnxs for all the help!

 

[AndyUKG]

Well I did what you suggested although the installation for squid 3.1 was not so simple we got hell of a lot of warnings but managed to configured it correctly, the transparent mode its still not working :x , this is what we have changed:

installed squid 3.1 from ports [CMD="./configure --enable-ipfw-transparent"][/CMD]

It shouldn't be necessary to run configure manually, go to the port /usr/ports/www/squid30 and run make install. You will get a list of options to choose from before it installs which includes the option for ipfw transparent mode.

right now i'm really confused tcpdump is not showing the port even when I place the proxy manual on the client browser..

What are you looking for in tcpdump? I think all you will be able to see is port 80 traffic arriving from the clients, anything done locally on the server (ie via the loopback) won't show up in tcpdump, so that I think includes anything relating to port 3128/3129.
When testing with browsers manually set to use the proxy you should see traffic arriving on the port specified in the browser, if not you are doing something wrong.

cheers Andy.

 

[tsuki]

tcpdump

Thanks for the reply Andy, still no luck, when running [CMD="tcpdump -vv host 192.168.211.9"][/CMD] I cant find nothing related to the ports 3128 or 3129, while having the proxy manual on the client browser (still making several tests with configuations), but I don't know where to look anymore, I keep changing the ipfw list and the squid config file, its driving me nuts x( The strange thing is that the manual proxy works, on the client (manually) and I know because we are filtering some sites...

But tcpdump shows nothing, I still think that my ipfw list/rules are doing nothing..

 

[AndyUKG]

Hi,

firstly, as I mentioned, if you didn't install via ports then I'd recommend that method as its a pretty good guarantee that the app will work, ie install via "make install" from /usr/ports/www/squid30.

WRT tcpdump, you definately should be able to see traffic in both cases even if ipfw isn't working correctly. The easiest way is probably to filter via the client IP, so you can use a command like this assuming that the interface on the server is "em0" and the client is IP "10.10.10.1".

# tcpdump -i em0 host 10.10.10.1

If you don't see any packets then the problem is your client config. The client is setup to use the server as its default gateway I assume?

cheers Andy.

 

[tsuki]

RE

I should had mentioned it before, sorry I did installed squid 3.1 from the ports and I made sure to enable ipfw tansparent from the configuration, and already tried the command you posted for the tcpdump part, and still cant see the port being used, in none of my cards, (bce1/bce0)...The proxy manually works in the client(manually)

As for the clients they are conected to the server as their default gateway.

Don't know if it will help, but I'll just paste my /etc/rc.conf file :

# -- sysinstall generated deltas -- # Thu Jul 28 10:37:37 2011
# Created: Thu Jul 28 10:37:37 2011
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="192.168.211.1"
gateway_enable="YES"
hostname="squid.saintapp.com"
ifconfig_bce0="inet 192.168.211.5  netmask 255.255.255.0"
ifconfig_bce1="inet 192.168.211.6  netmask 255.255.255.0"
sshd_enable="YES"
squid_enable="YES"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm bce1 addm bce0 up"
firewall_enable="YES"
firewall_type="/etc/rc.farewall.local"
#pf_enable="YES"
#pf_rules="/etc/pf.conf"

What now?? :r

 

[AndyUKG]

As I said, I don't think you will see the squid port with tcpdump when running in transparent mode as traffic will arrive from clients on port 80 (which you should be able to see). If you can see traffic arriving on port 80, but its not hitting squid then it would seem an ipfw issue so you need to check the ipfw man pages regarding debugging...

 

[Eldiemo]

http_access allow localhost

I guess that in transparent mode the local system needs access to squid.