Задать вопрос
StanHD
@StanHD
IT

Как настроить squid?

Пытаюсь настроить прозрачный прокси. Почитал гайды, вроде настроил, но не работает, интерфейсы пингуются. Прошу помочь в настройке. Прикладываю настройки squid, лог работы, настройки интерфейсов.
squid.conf
#Разрешаем доступ из своей сети
acl localnet src 10.86.0.0/24
acl localnet src 192.168.0.0/24


#Набор правил для доступа
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# HTTP доступ
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all

# Порт и IP-адрес сервера
http_port 3128 intercept
http_port 192.168.2.1:3128 transparent

# Допустимый обьем памяти ОЗУ
cache_mem 1024 MB

# Максимальный и минимальный размер кэшируемого файла
maximum_object_size_in_memory 512 KB
maximum_object_size 4 MB

# Директория кэша и размер
cache_dir ufs /var/spool/squid 2048 16 256

# Делаем прокси анонимным
via off
forwarded for delete

interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# WAN Interface
auto enp3s2
iface enp3s2 inet static
         address 10.86.0.18
         netmask 255.255.255.0
         gateway 192.168.0.1

# LAN Interface
auto enp1s0
iface enp1s0 inet static
         address 192.168.2.1
         netmask 255.255.255.0

post -up /etc/nat


nat
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -i lo -j ACCEPT

iptables -A FORWARD -i enp1s0 -o enp3s2 -j ACCEPT

iptables -t nat -A POSTROUTING -o enp3s2 -s 10.86.0.0/24 -j MASQUERADE

iptables -A FORWARD -i enp3s2 -m state --state ESTABLISHED, RELATED -j ACCEPT

iptables -A FORWARD -i enp3s2 -o enp1s0 -j REJECT

iptables -t nat -A PREROUTING -i enp1s0 ! -d 10.86.0.0/24 -p tcp -m multiport --dport 80,8080 -j DNAT --to 192.168.2.1:3128


log
2016/09/20 16:22:56 kid1| Adaptation support is off.
2016/09/20 16:22:56 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 17 flags=41
2016/09/20 16:22:56 kid1| Done reading /var/spool/squid swaplog (0 entries)
2016/09/20 16:22:56 kid1| Store rebuilding is 0.00% complete
2016/09/20 16:22:56 kid1| Finished rebuilding storage from disk.
2016/09/20 16:22:56 kid1|         0 Entries scanned
2016/09/20 16:22:56 kid1|         0 Invalid entries.
2016/09/20 16:22:56 kid1|         0 With invalid flags.
2016/09/20 16:22:56 kid1|         0 Objects loaded.
2016/09/20 16:22:56 kid1|         0 Objects expired.
2016/09/20 16:22:56 kid1|         0 Objects cancelled.
2016/09/20 16:22:56 kid1|         0 Duplicate URLs purged.
2016/09/20 16:22:56 kid1|         0 Swapfile clashes avoided.
2016/09/20 16:22:56 kid1|   Took 0.06 seconds (  0.00 objects/sec).
2016/09/20 16:22:56 kid1| Beginning Validation Procedure
2016/09/20 16:22:56| pinger: Initialising ICMP pinger ...
2016/09/20 16:22:56| pinger: ICMP socket opened.
2016/09/20 16:22:56| pinger: ICMPv6 socket opened
2016/09/20 16:22:56 kid1|   Completed Validation Procedure
2016/09/20 16:22:56 kid1|   Validated 0 Entries
2016/09/20 16:22:56 kid1|   store_swap_size = 0.00 KB
2016/09/20 16:22:56 kid1| ERROR: No forward-proxy ports configured.
2016/09/20 16:22:57 kid1| storeLateRelease: released 0 objects
2016/09/20 16:32:52 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57805 FD 12 flags$
2016/09/20 16:32:52 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5780$
2016/09/20 16:32:52 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57807 FD 12 flags$
2016/09/20 16:32:52 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5780$
2016/09/20 16:32:52 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57809 FD 12 flags$
2016/09/20 16:32:52 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5780$
2016/09/20 16:32:52 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57811 FD 12 flags$
2016/09/20 16:32:52 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5781$
2016/09/20 16:33:12 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57880 FD 12 flags$
2016/09/20 16:33:12 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5788$
2016/09/20 16:33:12 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57879 FD 12 flags$
2016/09/20 16:33:12 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5787$
2016/09/20 16:33:12 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57882 FD 12 flags$
2016/09/20 16:33:12 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5788$
2016/09/20 16:33:12 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57884 FD 12 flags$
2016/09/20 16:33:12 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5788$
2016/09/20 16:33:17 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5788$
2016/09/20 16:33:23 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.1:3128 remote=192.168.2.24:57888 FD 12 flags$
2016/09/20 16:33:23 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.1:3128 remote=192.168.2.24:5788$
2016/09/20 16:33:38 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=10.86.0.18:3128 remote=10.86.0.24:57891 FD 12 flags=33$
2016/09/20 16:33:38 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=10.86.0.18:3128 remote=10.86.0.24:57891 F$
2016/09/20 16:33:38 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=10.86.0.18:3128 remote=10.86.0.24:57892 FD 12 flags=33$
2016/09/20 16:33:38 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=10.86.0.18:3128 remote=10.86.0.24:57892 F$
2016/09/20 16:33:38 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=10.86.0.18:3128 remote=10.86.0.24:57894 FD 12 flags=33$
2016/09/20 16:33:38 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=10.86.0.18:3128 remote=10.86.0.24:57894 F$
2016/09/20 16:33:39 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=10.86.0.18:3128 remote=10.86.0.24:57896 FD 12 flags=33$
2016/09/20 16:33:39 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=10.86.0.18:3128 remote=10.86.0.24:57896 F$
2016/09/20 16:33:44 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=10.86.0.18:3128 remote=10.86.0.24:57900 FD 12 flags=33$
2016/09/20 16:33:44 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=10.86.0.18:3128 remote=10.86.0.24:57900 F$
2016/09/20 16:36:23 kid1| Preparing for shutdown after 0 requests
2016/09/20 16:36:23 kid1| Waiting 30 seconds for active connections to finish
2016/09/20 16:36:23 kid1| Closing HTTP port [::]:3128
2016/09/20 16:36:23 kid1| Closing HTTP port 192.168.2.1:3128
2016/09/20 16:36:23 kid1| Closing Pinger socket on FD 20
2016/09/20 16:36:37| Pinger exiting.
2016/09/20 16:36:54 kid1| Shutdown: NTLM authentication.
2016/09/20 16:36:54 kid1| Shutdown: Negotiate authentication.
2016/09/20 16:36:54 kid1| Shutdown: Digest authentication.
2016/09/20 16:36:54 kid1| Shutdown: Basic authentication.
2016/09/20 16:36:54 kid1| Shutting down...
2016/09/20 16:36:54 kid1| Closing unlinkd pipe on FD 14
2016/09/20 16:36:54 kid1| storeDirWriteCleanLogs: Starting...
2016/09/20 16:36:54 kid1|   Finished.  Wrote 0 entries.
2016/09/20 16:36:54 kid1|   Took 0.00 seconds (  0.00 entries/sec).
CPU Usage: 0.120 seconds = 0.056 user + 0.064 sys
Maximum Resident Size: 108768 KB
Page faults with physical i/o: 1
2016/09/20 16:36:54 kid1| Logfile: closing log daemon:/var/log/squid/access.log
2016/09/20 16:36:54 kid1| Logfile Daemon: closing log daemon:/var/log/squid/access.log
2016/09/20 16:36:54 kid1| Open FD UNSTARTED     6 DNS Socket IPv6
2016/09/20 16:36:54 kid1| Open FD UNSTARTED     8 DNS Socket IPv4
2016/09/20 16:36:54 kid1| Open FD UNSTARTED     9 IPC UNIX STREAM Parent
2016/09/20 16:36:54 kid1| Squid Cache (Version 3.5.12): Exiting normally.


На момент настройки, оборудование размещается так:
af9b625cd5f84e00b2a8ffcd89c4d231.bmp
  • Вопрос задан
  • 2083 просмотра
Подписаться 2 Оценить Комментировать
Пригласить эксперта
Ответы на вопрос 2
# WAN Interface
auto enp3s2
iface enp3s2 inet static
address 10.86.0.18
netmask 255.255.255.0
gateway 192.168.0.1

# LAN Interface
auto enp1s0
iface enp1s0 inet static
address 192.168.2.1
netmask 255.255.255.0

для enp3s2 gateway должен быть 10.86.0.1
а для enp1s0 gateway должен быть 10.86.0.18
Ответ написан
athacker
@athacker
Трафик-то от клиентов прилетает на эту машину? :-)

Правильно товарищ выше заметил -- у вас шлюз по умолчанию, указанный в настройках -- из другой подсети. Это косяк. Оно может быть не связано с вашей проблемой, а может и связано. Т.е. на этой машине со сквидом -- интернет работать не будет. Хотя в винде такая фишка прокатывает в некоторых специфических условиях, но насчёт линуха я не уверен. На фре точно не прокатывает.
Ответ написан
Комментировать
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы