SOLVED Can anyone help me with squid?

[Stratus_ss]

So I have been playing around with squid all day and I haven't been able to get the internet caching, or squid in general work properly

I can surf the internet if I am not using a proxy setting in my browser and since the traffic was going through the squid box, I (falsely?) assumed that it was caching the traffic but I have not seen the folders grow at all.

I am sure its just something I have missed


here is the squid.conf file with the comments removed

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 192.168.56.0/24
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access deny all



icp_access allow localnet
icp_access deny all

http_port 3128


hierarchy_stoplist cgi-bin ?



cache_mem 200 MB


cache_dir ufs /squid 48000 16 256


access_log /var/log/squid/access.log squid

refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern (Release|Packages(.gz)*)$	0	20%	2880
refresh_pattern .		0	20%	4320

acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT

hosts_file /etc/hosts

coredump_dir /var/spool/squid

acl internal_network src 192.168.56.0/24
http_access allow internal_network

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

maximum_object_size 300 MB
cache_replacement_policy head LFUDA

refresh_all_ims on

and my iptables

#!/bin/sh
#


echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"



IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe


#Setting the EXTERNAL and INTERNAL interfaces for the network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network 
#  is where the natting will occur and the internal network
#  should preferably be addressed with a RFC1918 private address
#  scheme.

EXTIF="eth1"
INTIF="eth2"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"

EXTIP="your external IP address"
echo "   External IP:  $EXTIP"

echo -en "   loading modules: "

# Need to verify that all modules have all required dependencies
#
echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

echo "----------------------------------------------------------------------"

#Load the main body of the IPTABLES module - "iptable"
#  - Loaded automatically when the "iptables" command is invoked 
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
$MODPROBE ip_tables

#Load the general IPTABLES NAT code - "iptable_nat"
#  - Loaded automatically when MASQ functionality is turned on
#
#  - Loaded manually to clean up kernel auto-loading timing issues 
#
echo -en "iptable_nat, "
$MODPROBE iptable_nat


echo "----------------------------------------------------------------------"

echo -e "   Done loading modules.\n"

echo "   Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP, 
#   enable this following option.  This enables dynamic-address hacking
#   which makes the life with Diald and similar programs much easier.
#
#echo "   Enabling DynamicAddr.."
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr 


#Clearing any previous configuration
#
#  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
#    The default for FORWARD is DROP (REJECT is not a valid policy)
#

echo "   Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo "   FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT 
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP


echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-iptables v$FWVER done.\n"

and the dhcp.conf

subnet 192.168.56.0 netmask 255.255.255.0 {
	range 192.168.56.10 192.168.56.250;
    default-lease-time 518400;
    max-lease-time 618400;
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.99.255;
    option routers 192.168.56.102;
    option domain-name-servers 192.168.56.102;
    option domain-name "stratus-sphere.com";
    option time-offset  -18000;
    option ntp-servers 192.168.56.102;

    host livecd {
    hardware ethernet 08:00:27:74:65:78;
    fixed-address 192.168.56.99;
    }

}

There isnt really anything particular about the named stuff, just forwarders to internet dns from my ISP

If I add the host specifically to the squid.conf (http_access allow 192.168.56.99) and change FF settings I get "Firefox is configured to use a proxy that is refusing connections"

Running nmap shows that squid is listening on 3128 just as it is set in the proxy settings.

Anyone help?

 

[johan851]

I've played with squid a bit - I actually have a squid server running at home. Here's my working config:

redirect_program /usr/local/adzap/scripts/wrapzap
visible_hostname proxy
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 192.168.0.0/32
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 20
acl Safe_ports port 443         # https
acl Safe_ports port 210         # wais
acl Safe_ports port 2020        # local listening
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl LocalFirewall dstdomain 192.168.1.254
acl ads dstdom_regex -i "/usr/local/squid/etc/adlist.config"
http_access deny ads
http_access deny LocalFirewall
http_access allow localhost
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 2020
hierarchy_stoplist cgi-bin ?
cache_mem 1024 MB
maximum_object_size_in_memory 128 KB
cache_dir ufs /usr/local/squid/var/cache 4096 16 256
maximum_object_size 16 MB
access_log /usr/local/squid/var/logs/access.log squid
debug_options ALL,1
url_rewrite_children 8
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320
icp_port 3130
coredump_dir /usr/local/squid/var/cache

Are you missing an allow for HTTP access in localnet? Have you defined safe ports so that you're not denying all ports?

 

[Stratus_ss]

if I have it setup like this

Router ---- Squid --------- computer

Do I have to put the proxy information in the web browser? I would like to have a caching server but not alter the laptop's browser configuration if possible

 

[johan851]

You shouldn't have to if you have it configured that way. You'll need squid to listen on port 80 in your local network but have it talk to the router for internet needs. Then everything connecting over HTTP will talk to squid automatically. I think squid will also need to be configured as a DHCP server.

I have a different configuration, so I'm no help there. There should be lots of examples around the net of squid set up as a passthrough though.

 

[Stratus_ss]

Ya the problem is I am used to grabbing a book and understanding what is going on.

I am not having much understanding when it comes to squid. I will try rearranging some stuff (squid is already in front of the router) and see what I can produce. Your configure may help guide me in the right direction

 

[johan851]

To start out with, you could get rid of any "deny" statements in the config. That would help you get things running and make sure they're not blocking you from accessing the proxy. Once you have it going you could add them back in one by one.

 

[Stratus_ss]

ok so I took your advice and remove the deny statements which worked, except that I still have to add the proxy info into the browser... it is the dhcp server and the dns server as well

 

[johan851]

Interesting. So you have to point the browser at whatever the DHCP gateway is, then? That seems odd...I would imagine that the computer would default to the DHCP/DNS server for the internet connection. Are you configuring the proxy to point at port 80 or some other port?

 

[Stratus_ss]

I found the problem.

http_port 3128

should be

http_port 3128 transparent

So I have a basic squid caching server.

Next step is to cache updates etc and then put my network in the following order

Router/FW ---> squid --> Wireless router ---> gigabit switch

but that will have to wait for the wife to leave.... she gets testy when I mess with the internet

 

[kaltag]

I've got a transparent squid cache running here which is what I believe you want. What you need to do is add an iptables rule to intercept outbound port 80 traffic from the lan and redirect it to 3128, your squid proxy port.

iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to 192.168.1.253:3128

You'll need to change your interface and IPs accordingly but I think you get the idea. After this you won't need to configure the browsers.

 

[johan851]

Awesome!

 

[kaltag]

Ha, you just beat me

 

[Stratus_ss]

I've got a transparent squid cache running here which is what I believe you want. What you need to do is add an iptables rule to intercept outbound port 80 traffic from the lan and redirect it to 3128, your squid proxy port.

iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to 192.168.1.253:3128

You'll need to change your interface and IPs accordingly but I think you get the idea. After this you won't need to configure the browsers.

I implemented a new setup outside of a virtual environment which should have been the exact same but I cant seem to get it to work

I tried just your simply iptables rules and I get no dns resolution that way so lets start over

Squid IP's: 192.168.99.253 (internal), 192.168.10.253 (external)

Setup looks like this

Router (dns/dhcp turnedoff)
|
Eth0(10.0)
Squid
Eth1 (99.0)
|
wireless router (again dns, dhcp off)
|
clients


Squid .conf

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl purge method PURGE
acl CONNECT method CONNECT

#localnet is our LAN internal network
acl localnet src 192.168.99.0/24

#56.0 is virtualbox's local-only ip
acl internal_network src 192.168.10.0/24

http_access allow manager localhost
http_access allow purge localhost
http_access allow localhost

#DONT forget to allow the localnet access to http!!!
http_access allow localnet
http_access allow internal_network

#Since we havemultiple nic's for squid, we specify which IP it should listen on
http_port 192.168.99.253:3128 transparent

#Set the amount of RAM squid can use
cache_mem 600 MB

#Set the max object size in memory
maximum_object_size_in_memory 1 MB

#Set the cache directory to just under 48 GB and 32 folders with 512 sub directories
cache_dir aufs /squid 48000 32 512

#we want to tell squid to use an algorithm to optimize performance
store_dir_select_algorithm least-load

#Set the cache size limits
maximum_object_size 300 MB

#Set the cache swapping. Once the space used exceeds teh cache_swap_low value, squid starts deleting files
#It excellerates the deletion process when it crosses the cache_swap_high value

cache_swap_low 96
cache_swap_high 98

#Here we set the policy for keeping files in cache. LRU (least recently used) and LFUDA (least frequently
# used with dynamic aging)

memory_replacement_policy lru
cache_replacement_policy heap LFUDA

#Cache DNS

positive_dns_ttl 48 hours
negative_dns_ttl 30 seconds

ipcache_low 95
ipcache_high 97
ipcache_size 15000
fqdncache_size 10000

access_log /var/log/squid/access.log squid

hosts_file /etc/hosts

coredump_dir /var/spool/squid

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

refresh_all_ims on

Now if I set iptables to forward packets, I get internet fine on the clients (this is being typed from a client)

However if I remove the rules and try my previous script, or the iptables quoted here, as well as the following I get nothing

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.99.253:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -j MASQUERADE

The squid machine itself has internet so I know its not a connectivity.

I am 99.9% sure its a problem with iptables. Anyone help?

 

[Stratus_ss]

and of course if i put the information into my browser, caching works...

 

[kaltag]

I'm not sure if it's a mater of semantics but here is my iptables rule for squid which is currently working.

iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to 192.168.1.253:3128

You have a redirect and dnat rule in there it looks like. Can you try with just the one rule?

 

[Stratus_ss]

Hi Kaltag,

I actually quoted you to begin the post. I tried only your rule but that didn't work. Something seems to have changed a bit after I took it out of the virtual lab. I erased the iptables config, and just put in your line (obviously changing the eth port) with no luck... been banging my head against the wall

 

[kaltag]

Sorry, The quote didn't register in my head I guess . Here is my complete squid.conf for reference if it helps.

http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

# newer Squid's don't need "all", it's built in:
acl all src 0.0.0.0/0.0.0.0

# 1000MB max cache size (default is 100MB):
cache_dir ufs /tmp/squid 256 16 256

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl lan src 192.168.1.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname calculon
always_direct allow all
coredump_dir /var/spool/squid

EDIT: I also just noticed "wireless router" in your topology. Is the wireless NATing clients behind it? Could be something goofy there?

EDIT 2: Also noticed

acl internal_network src 192.168.10.0/24

If I am understanding your layout shouldn't that be 192.168.99.0/24?

EDIT 3: You mentioned you removed your previous rules. You will still need the masquerade rule to allow packet forwarding otherwise DNS resolution won't work.

 

[Stratus_ss]

Thought I would post a follow-up.

My problem was two fold. First and foremost it was related to bind.
Even though my router is doing the outside DNS (i.e. yahoo.ca is resolved by the router), bind needed to be enabled on the squid server.

This to me makes little sense since the resolv.conf looked like

domain stratus-sphere.com
search stratus-sphere.com
nameserver 192.168.10.x

I started playing with bind and resolv.conf and with bind on and with the above conf it worked (with the iptables posted below). With bind off it did not work.

Below is a similar iptables setup which is close to what I used

#!/bin/sh

# ------------------------------------------------------------------------------------


# (c) 2006, nixCraft under GNU/GPL v2.0+

# -------------------------------------------------------------------------------------

# squid server IP

SQUID_SERVER="192.168.0.1"

# Interface connected to Internet

INTERNET="eth1"

# Interface connected to LAN

LAN_IN="eth0"

PRV_LAN_IN="eth0:0"

# Squid port

SQUID_PORT="3128"

 

#  public Server IP

SERVER_IP="192.168.20.3"

 

# DO NOT MODIFY BELOW

# Clean old firewall

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support

modprobe ip_conntrack

modprobe ip_conntrack_ftp

# For win xp ftp client

#modprobe ip_nat_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

# Unlimited access to loop back

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP

iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN

iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE

# Allow forward traffic from eth0:0 to eth0

#iptables --append POSTROUTING -s 192.168.88.0/24 -o eth0 -j MASQUERADE

iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

iptables --append FORWARD --in-interface $PRV_LAN_IN -j ACCEPT

 

 

 

# unlimited access to LAN

iptables -A INPUT -i $LAN_IN -j ACCEPT

iptables -A OUTPUT -o $LAN_IN -j ACCEPT

iptables -A INPUT -i $PRV_LAN_IN -j ACCEPT

iptables -A OUTPUT -o $PRV_LAN_IN -j ACCEPT

 

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system

#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

#Add in rule to allow ssh through

iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

#Add in rule to allow web through

iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 80 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

#Add in rule to allow pptp through

iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 1723 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 1723 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

 

# DROP everything and Log it

#iptables -A INPUT -j LOG

iptables -A INPUT -j DROP

I am having a few bugs still, for example pages that are already cached before (facebook, google etc) all load very quickly even with dynamic entries (i.e. doing a search never done or loading a facebook app). However if I attempt to surf to a page that is not cached it seems to sit and sit and sit. Also interestingly enough, during one test I disconnected the ethernet and plugged it back in, during the time that the computer was re-leasing its ip, the page which was sitting on "waiting for ncix.com..." actually loaded most of the way, which I found was wierd... so still some stuff to work through

 

[Stratus_ss]

I figured I should post a follow up for a working configuration.

Here is the squid.conf

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl purge method PURGE
acl CONNECT method CONNECT

acl SSL_ports port 443
acl CONNECT method CONNECT


#localnet is our LAN internal network
acl localnet src 192.168.99.0/24

#56.0 is virtualbox's local-only ip
acl internal_network src 192.168.10.0/24

http_access deny CONNECT !SSL_ports
http_access allow manager localhost
http_access allow purge localhost
http_access allow localhost

#DONT forget to allow the localnet access to http!!!
http_access allow localnet
http_access allow internal_network

#Since we havemultiple nic's for squid, we specify which IP it should listen on
http_port 3128 transparent

#Set the amount of RAM squid can use
cache_mem 4600 MB

#Set the max object size in memory
maximum_object_size_in_memory 1 MB

#Set the cache directory to just under 48 GB and 32 folders with 512 sub directories
cache_dir aufs /squid 48000 32 512

#we want to tell squid to use an algorithm to optimize performance
store_dir_select_algorithm least-load

#Set the cache size limits
maximum_object_size 300 MB

#Set the cache swapping. Once the space used exceeds teh cache_swap_low value, squid starts deleting files
#It excellerates the deletion process when it crosses the cache_swap_high value

cache_swap_low 96
cache_swap_high 98

#Here we set the policy for keeping files in cache. LRU (least recently used) and LFUDA (least frequently
# used with dynamic aging)

memory_replacement_policy lru
cache_replacement_policy heap LFUDA

#Cache DNS

positive_dns_ttl 48 hours
negative_dns_ttl 30 seconds

ipcache_low 95
ipcache_high 97
ipcache_size 15000
fqdncache_size 10000

access_log /var/log/squid/access.log squid

hosts_file /etc/hosts

coredump_dir /var/spool/squid

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

refresh_all_ims on

My named.conf.options

options {
	directory "/var/cache/bind";

        // If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	 forwarders {
	 	192.168.10.1;
	 };

	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
};

And the iptables

#!/bin/sh

# ------------------------------------------------------------------------------------


# (c) 2006, nixCraft under GNU/GPL v2.0+

# -------------------------------------------------------------------------------------

# squid server IP

SQUID_SERVER="192.168.99.253"

# Interface connected to Internet

INTERNET="eth0"

# Interface connected to LAN

LAN_IN="eth1"

# Squid port

SQUID_PORT="3128"

#  public Server IP

SERVER_IP="192.168.10.1"

# Clean old firewall

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support

modprobe ip_conntrack

modprobe ip_conntrack_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

# Unlimited access to loop back

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP

iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN

iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE

# Allow forward traffic from eth0:0 to eth0

#iptables --append POSTROUTING -s 192.168.88.0/24 -o eth0 -j MASQUERADE

iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

iptables --append FORWARD --in-interface $PRV_LAN_IN -j ACCEPT

# unlimited access to LAN

iptables -A INPUT -i $LAN_IN -j ACCEPT

iptables -A OUTPUT -o $LAN_IN -j ACCEPT

iptables -A INPUT -i $PRV_LAN_IN -j ACCEPT

iptables -A OUTPUT -o $PRV_LAN_IN -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

iptables -I INPUT -i lo -j ACCEPT

#Add in rule to allow ssh through

iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t filter -A FORWARD -i $LAN_IN -p tcp --dport 443 -j ACCEPT

iptables -t nat -A POSTROUTING -o $INTERNET -j SNAT --to-source 192.168.99.253

iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

#Add in rule to allow web through

iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 80 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

#Add in rule to allow pptp through

iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 1723 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 1723 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING -o $INTERNET -j SNAT --to-source 192.168.10.1

# DROP everything and Log it

#iptables -A INPUT -j LOG

iptables -A INPUT -j DROP

Big thanks to Stack Overflow for posting a follow up. The last post helped me get the ssl working with squid

 

[RJARRRPCGP]

http_access deny all

Needs to be changed to:

 http_access allow all

Or Squid will keep giving you "Access denied".