# Totally messed up with squid3 as transparent proxy



## poscaman (Jan 21, 2007)

Hi there.

I'm trying to set up squid3 as a transparent proxy for my home gateway.It uses eth0 (192.168.1.100) for the external network and eth1 (172.16.0.1) for the internal.So far,after spending the whole day googling and trying various parameters in the squid3.conf i've ended up to this 

/etc/squid3/squid.conf 


```
http_port 172.16.0.1:3128 transparent
cache_mgr [email protected]
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563      # https, snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager 
http_access allow purge localhost 
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl lan src 172.16.0.0/24
http_access allow localhost 
http_access allow lan
http_access deny all
http_reply_access allow all 
icp_access allow all
visible_hostname Router
always_direct allow all
coredump_dir /var/spool/squid 800 16 256
```
although the config files seems to be ok,an squid3 goes on,i mention that port 3128 is not open 

```
nmap localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-10-12 22:07 EEST
Interesting ports on localhost (127.0.0.1):
Not shown: 1677 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
113/tcp open  auth
```
also browser responds


```
Proxy Server Refused Connection
```
could u pls take a look at my squid.conf?what is the real problem?

thanks a lot.
Dimitris


----------



## lensman3 (Oct 19, 2007)

Try running the following where <HOSTNAME> is the hostname returned when you are logged onto the Internet through your provider. You get the hostname by running the command "hostname". That name should be the same interface that squid 3 is hooked up to.

nmap -v -A <HOSTNAME>

You should see the real open ports. 127.0.0.1 is not the same interface as a modem or ethernet.

Does the file "/var/log/squid/access.log" have any hints?

I would try setting this up without your firewall running. That way squid can be installed without the port dropping that a firewall can cause. After squid is running you will want to then debug the firewall.

The browser saying that Proxy refused could be a firewall error.


----------



## poscaman (Jan 21, 2007)

i changed deny all to allow all. now squid.conf look like this and works fine


```
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
http_access allow localhost
http_access allow all
http_reply_access allow all
icp_access allow all
visible_hostname Router
http_port 172.16.0.1:3128 transparent
#http_port 127.0.0.1:3128 transparent
coredump_dir /var/spool/squid 700 16 256
cache_mgr ****@gmail.com
access_log /var/log/squid/access.log squid
```
also i have these iptables

```
iptables -F
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE 
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
```
and now the question.i also want to set up dansguardian.should i uncomment the line (@squid.conf) http_port 127.0.0.1:3128???

should squid.conf have this line?

thanks in advance


----------

