1

Topic: Squid by the separate machine. iptables.

Expensively time of days, friends.
Help to solve a problem: In a network  machines:
1. UbuntuServer14.04. On it NAT+DHCP+BIND. Works as a router
2. UbuntuServer14.04. On it not transparent SQUID3.
should walk in an Internet through the server with a squid.
As a result  breaks on a squid, transits authorization but a page does not open and writes error ERR_CONNECTION_TIMEOUT
I so understand that it is necessary to correct iptables. Tried many rules and already was worn out. Help, please to understand that to what.
It is necessary to adjust iptables on the server with a squid?
The previous post:
http://forum.ubuntu.ru/index.php?topic=281904.0
Router config:
etc/nat:
echo 1>/proc/sys/net/ipv4/ip_forward
iptables-A INPUT-i lo-j ACCEPT
iptables-A FORWARD-i eth1-p tcp - dport 80-j REJECT
iptables-A FORWARD-i eth1-o eth0-j REJECT
iptables-t nat-A POSTROUTING-o eth0-s 192.168.0.0/24-j MASQUERADE
iptables-A FORWARD-i eth0-m state - state ESTABLISHED, RELATED-j ACCEPT
iptables-A FORWARD-i eth0-o eth1-j REJECT
iptables-t nat-A PREROUTING-s 192.168.0.0/24-p tcp-m multiport - dport 80,8080,443-j DNAT - to 192.168.0.2:3128
iptables-save:
# Generated by iptables-save v1.4.21 on Thu Oct 27 9:15:07 AM 2016
*nat
:pREROUTING ACCEPT [171:22491]
:INPUT ACCEPT [125:12695]
:oUTPUT ACCEPT [121:8169]
:pOSTROUTING ACCEPT [147:9533]
-A PREROUTING!-d 192.168.0.0/24-i eth1-p tcp-m multiport - dports 80,8080,443-j DNAT - to-destination 192.168.0.2:3128
-A POSTROUTING-s 192.168.0.0/24-o eth0-j MASQUERADE
COMMIT
# Completed on Thu Oct 27 9:15:07 AM 2016
# Generated by iptables-save v1.4.21 on Thu Oct 27 9:15:07 AM 2016
*filter
:INPUT ACCEPT [760:104980]
:FORWARD ACCEPT [55:2952]
:oUTPUT ACCEPT [318:31480]
-A INPUT-i lo-j ACCEPT
-A FORWARD-i eth1-o eth0-j REJECT - reject-with icmp-port-unreachable
-A FORWARD-i eth0-o eth1-j REJECT - reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Oct 27 9:15:07 AM 2016
A squid Config. squid.conf:
auth_param basic program/usr/lib/squid3/basic_ncsa_auth/etc/squid3/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl password proxy_auth REQUIRED
acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny! Safe_ports
http_access deny CONNECT! SSL_ports
http_access allow localhost manager
http_access deny manager
#http_access allow localnet
http_access allow password
http_access allow localhost
http_access deny all
http_port 192.168.0.1:3128
cache_mem 1024 MB
maximum_object_size_in_memory 512 KB
cache_dir ufs/var/spool/squid3 2048 16 256
maximum_object_size 4 MB
access_log daemon:/var/log/squid3/access.log squid
logfile_rotate 31
refresh_pattern ^ftp: 1440 20 % 10080
refresh_pattern ^gopher: 1440 0 % 1440
refresh_pattern-i (/cgi-bin / | \?) 0 0 % 0
refresh_pattern (Release|Packages (.gz) *) $0 20 % 2880
refresh_pattern. 0 20 % 4320

2

Re: Squid by the separate machine. iptables.

Maks1
Thanks for council.

3

Re: Squid by the separate machine. iptables.

vet_fbi
2. UbuntuServer14.04. On it not transparent SQUID3.
[off] why not 16.04? [/off]