客户端无法通过 Squeeze 网关访问某些 HTTPS

tag-icon tag-icon iptables firewall https squid debian-squeeze
客户端无法通过 Squeeze 网关访问某些 HTTPS

我在带有 2 个 NIC 的 Squeeze 盒子上设置了一个网关(+防火墙+代理)。问题是客户端无法看到某些 HTTPS(例如,它们可以访问https://mail.google.com但不是https://github.com)但是当我在服务器上尝试使用 curl 或 wget 时没有任何问题。

这是我的“route -n”结果

Destination             Gateway         Genmask         Flags Metric Ref    Use  Iface
vpn.server.ip.addr   0.0.0.0         255.255.255.255    UH    0      0        0      eth0
virtual.vpn.ip.addr  0.0.0.0         255.255.255.255    UH    0      0        0      ppp0
192.168.250.0        0.0.0.0         255.255.255.252    U     0      0        0      eth0
192.168.1.0          0.0.0.0         255.255.255.0      U     0      0        0      eth1
0.0.0.0              0.0.0.0         0.0.0.0            U     0      0        0      ppp0

这是我的防火墙

SQUID_SERVER="192.168.1.14"

# Interface connected to Internet
INTERNET="ppp0"
# Interface connected to LAN
LAN_IN="eth1"

# Squid port
SQUID_PORT="3128"
SIP1="5060"
SIP2="5061"

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
#iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -i $LAN_IN -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p udp --dport $SIP1 -j ACCEPT
iptables -A INPUT -p udp --dport $SIP2 -j ACCEPT
iptables -A INPUT -p tcp --dport $SIP1 -j ACCEPT
iptables -A INPUT -p tcp --dport $SIP2 -j ACCEPT

这是我的 squid.conf

http_port 3128 transparent

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl NO-CACHE-SITES dstdomain "/root/not-to-cache-sites.txt"
no_cache deny NO-CACHE-SITES

cache_mem 50 MB

cache_dir ufs /var/spool/squid 50000 16 256 
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
pid_filename /var/run/squid.pid

dns_nameservers 208.67.222.222 208.67.220.220 8.8.8.8 8.8.4.4

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl manager proto cache_object
acl serveur src 192.168.1.14

acl multipostes src 192.168.1.1-192.168.1.254

#acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 20 # ftp-data
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # ssl
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT

acl purge method PURGE
acl CONNECT method CONNECT
acl SSL method CONNECT

acl SSL_ports port 10000 # webmin
acl Safe_ports port 10000 # webmin
acl Safe_ports port 137 138 139 445
acl Safe_ports port 500
acl Safe_ports port 47
acl Safe_ports port 4569

acl Safe_ports port 995         # pop3 of gmail
acl Safe_ports port 587         # smtp of gmail
acl Safe_ports port 465         # smtp of gmail
acl Safe_ports port 993         # smtp of gmail
acl Safe_ports port 25          # smtp
acl Safe_ports port 110         # pop3
acl Safe_ports port 143         # pop3

http_access allow manager all
http_access deny manager
http_access allow purge localhost
http_access deny purge

http_access deny CONNECT !SSL_ports
http_access allow localhost

http_access allow all

http_reply_access allow all

icp_access allow all

cache_effective_user proxy
cache_effective_group proxy

visible_hostname serveur

always_direct allow all

笔记:我用Wireshark检查过,没有错误。我也尝试过不使用VPN直接连接,一切正常。

相关内容