How to setup squid?

S

Stan Marsh2016-09-23 06:22:26

linux

Stan Marsh, 2016-09-23 06:22:26

How to setup squid?

I'm trying to set up a transparent proxy. I read the guides, I sort of set it up, but it doesn't work, the interfaces are pinged. Please help me set it up. I am attaching squid settings, operation log, interface settings.
squid.conf

#Разрешаем доступ из своей сети
acl localnet src 10.86.0.0/24
acl localnet src 192.168.0.0/24


#Набор правил для доступа
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# HTTP доступ
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all

# Порт и IP-адрес сервера
http_port 3128 intercept
http_port 192.168.2.1:3128 transparent

# Допустимый обьем памяти ОЗУ
cache_mem 1024 MB

# Максимальный и минимальный размер кэшируемого файла
maximum_object_size_in_memory 512 KB
maximum_object_size 4 MB

# Директория кэша и размер
cache_dir ufs /var/spool/squid 2048 16 256

# Делаем прокси анонимным
via off
forwarded for delete

interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# WAN Interface
auto enp3s2
iface enp3s2 inet static
         address 10.86.0.18
         netmask 255.255.255.0
         gateway 192.168.0.1

# LAN Interface
auto enp1s0
iface enp1s0 inet static
         address 192.168.2.1
         netmask 255.255.255.0

post -up /etc/nat

nat

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -i lo -j ACCEPT

iptables -A FORWARD -i enp1s0 -o enp3s2 -j ACCEPT

iptables -t nat -A POSTROUTING -o enp3s2 -s 10.86.0.0/24 -j MASQUERADE

iptables -A FORWARD -i enp3s2 -m state --state ESTABLISHED, RELATED -j ACCEPT

iptables -A FORWARD -i enp3s2 -o enp1s0 -j REJECT

iptables -t nat -A PREROUTING -i enp1s0 ! -d 10.86.0.0/24 -p tcp -m multiport --dport 80,8080 -j DNAT --to 192.168.2.1:3128

log

2016/09/20 16:22:56 kid1| Adaptation support is off.
2016/09/20 16:22:56 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 17 flags=41
2016/09/20 16:22:56 kid1| Done reading /var/spool/squid swaplog (0 entries)
2016/09/20 16:22:56 kid1| Store rebuilding is 0.00% complete
2016/09/20 16:22:56 kid1| Finished rebuilding storage from disk.
2016/09/20 16:22:56 kid1|         0 Entries scanned
2016/09/20 16:22:56 kid1|         0 Invalid entries.
2016/09/20 16:22:56 kid1|         0 With invalid flags.
2016/09/20 16:22:56 kid1|         0 Objects loaded.
2016/09/20 16:22:56 kid1|         0 Objects expired.
2016/09/20 16:22:56 kid1|         0 Objects cancelled.
2016/09/20 16:22:56 kid1|         0 Duplicate URLs purged.
2016/09/20 16:22:56 kid1|         0 Swapfile clashes avoided.
2016/09/20 16:22:56 kid1|   Took 0.06 seconds (  0.00 objects/sec).
2016/09/20 16:22:56 kid1| Beginning Validation Procedure
2016/09/20 16:22:56| pinger: Initialising ICMP pinger ...
2016/09/20 16:22:56| pinger: ICMP socket opened.
2016/09/20 16:22:56| pinger: ICMPv6 socket opened
2016/09/20 16:22:56 kid1|   Completed Validation Procedure
2016/09/20 16:22:56 kid1|   Validated 0 Entries
2016/09/20 16:22:56 kid1|   store_swap_size = 0.00 KB
2016/09/20 16:22:56 kid1| ERROR: No forward-proxy ports configured.
2016/09/20 16:22:57 kid1| storeLateRelease: released 0 objects
2016/09/20 16:32:52 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57805 FD 12 flags$
2016/09/20 16:32:52 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5780$
2016/09/20 16:32:52 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57807 FD 12 flags$
2016/09/20 16:32:52 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5780$
2016/09/20 16:32:52 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57809 FD 12 flags$
2016/09/20 16:32:52 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5780$
2016/09/20 16:32:52 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57811 FD 12 flags$
2016/09/20 16:32:52 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5781$
2016/09/20 16:33:12 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57880 FD 12 flags$
2016/09/20 16:33:12 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5788$
2016/09/20 16:33:12 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57879 FD 12 flags$
2016/09/20 16:33:12 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5787$
2016/09/20 16:33:12 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57882 FD 12 flags$
2016/09/20 16:33:12 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5788$
2016/09/20 16:33:12 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57884 FD 12 flags$
2016/09/20 16:33:12 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5788$
2016/09/20 16:33:17 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5788$
2016/09/20 16:33:23 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57888 FD 12 flags$
2016/09/20 16:33:23 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5788$
2016/09/20 16:33:38 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=10.86.0.18:3128 remote=10.86.0.24:57891 FD 12 flags=33$
2016/09/20 16:33:38 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=10.86.0.18:3128 remote=10.86.0.24:57891 F$
2016/09/20 16:33:38 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=10.86.0.18:3128 remote=10.86.0.24:57892 FD 12 flags=33$
2016/09/20 16:33:38 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=10.86.0.18:3128 remote=10.86.0.24:57892 F$
2016/09/20 16:33:38 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=10.86.0.18:3128 remote=10.86.0.24:57894 FD 12 flags=33$
2016/09/20 16:33:38 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=10.86.0.18:3128 remote=10.86.0.24:57894 F$
2016/09/20 16:33:39 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=10.86.0.18:3128 remote=10.86.0.24:57896 FD 12 flags=33$
2016/09/20 16:33:39 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=10.86.0.18:3128 remote=10.86.0.24:57896 F$
2016/09/20 16:33:44 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=10.86.0.18:3128 remote=10.86.0.24:57900 FD 12 flags=33$
2016/09/20 16:33:44 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=10.86.0.18:3128 remote=10.86.0.24:57900 F$
2016/09/20 16:36:23 kid1| Preparing for shutdown after 0 requests
2016/09/20 16:36:23 kid1| Waiting 30 seconds for active connections to finish
2016/09/20 16:36:23 kid1| Closing HTTP port [::]:3128
2016/09/20 16:36:23 kid1| Closing HTTP port 192.168.2.1:3128
2016/09/20 16:36:23 kid1| Closing Pinger socket on FD 20
2016/09/20 16:36:37| Pinger exiting.
2016/09/20 16:36:54 kid1| Shutdown: NTLM authentication.
2016/09/20 16:36:54 kid1| Shutdown: Negotiate authentication.
2016/09/20 16:36:54 kid1| Shutdown: Digest authentication.
2016/09/20 16:36:54 kid1| Shutdown: Basic authentication.
2016/09/20 16:36:54 kid1| Shutting down...
2016/09/20 16:36:54 kid1| Closing unlinkd pipe on FD 14
2016/09/20 16:36:54 kid1| storeDirWriteCleanLogs: Starting...
2016/09/20 16:36:54 kid1|   Finished.  Wrote 0 entries.
2016/09/20 16:36:54 kid1|   Took 0.00 seconds (  0.00 entries/sec).
CPU Usage: 0.120 seconds = 0.056 user + 0.064 sys
Maximum Resident Size: 108768 KB
Page faults with physical i/o: 1
2016/09/20 16:36:54 kid1| Logfile: closing log daemon:/var/log/squid/access.log
2016/09/20 16:36:54 kid1| Logfile Daemon: closing log daemon:/var/log/squid/access.log
2016/09/20 16:36:54 kid1| Open FD UNSTARTED     6 DNS Socket IPv6
2016/09/20 16:36:54 kid1| Open FD UNSTARTED     8 DNS Socket IPv4
2016/09/20 16:36:54 kid1| Open FD UNSTARTED     9 IPC UNIX STREAM Parent
2016/09/20 16:36:54 kid1| Squid Cache (Version 3.5.12): Exiting normally.

At the time of setup, the equipment is placed as follows:

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexander Slyzhuk, 2016-09-23
@SLYzhuk

# WAN Interface
auto enp3s2
iface enp3s2 inet static
address 10.86.0.18
netmask 255.255.255.0
gateway 192.168.0.1
# LAN Interface
auto enp1s0
iface enp1s0 inet static
address 192.168.2.1
netmask 255.255.255.0

for enp3s2 gateway should be 10.86.0.1
and for enp1s0 gateway should be 10.86.0.18

A

athacker, 2016-09-23
@athacker

The traffic from clients arrives on this machine? :-)
That's right, the comrade above noticed - you have the default gateway specified in the settings - from a different subnet. This is a joint. It may or may not be related to your problem. Those. on this machine with a squid - the Internet will not work. Although in Windows such a chip rolls in some specific conditions, I'm not sure about Linux. It definitely doesn’t roll on the fre.