Package: squid Version: 2.6.1-3 Severity: important I have squid 2.6.1-3 setup as a transparent proxy and it is denying my tivo from getting through. >From the access log: 1153942317.226 5 192.168.0.5 TCP_DENIED/403 1494 POST http://204.176.49.2:1/tivo-service/mercury.cgi - NONE/- text/html 1153943219.039 5 192.168.0.5 TCP_DENIED/403 1494 POST http://204.176.49.2:1/tivo-service/mercury.cgi - NONE/- text/html 1153944121.413 5 192.168.0.5 TCP_DENIED/403 1494 POST http://204.176.49.2:1/tivo-service/mercury.cgi - NONE/- text/html
Notice that there is now a :1 after the IP. I did a tcpdump at the same time and it was being sent to port 80: 15:02:01.338345 IP 192.168.0.5.1512 > 204.176.49.2.www: S 3703297763:3703297763(0) win 5840 <mss 1460,sackOK,timestamp 13281080 0,nop,wscale 0> 15:02:01.338941 arp who-has 192.168.0.5 tell qfe0 15:02:01.403229 arp reply 192.168.0.5 is-at 00:0d:88:68:15:85 (oui Unknown) 15:02:01.403301 IP 204.176.49.2.www > 192.168.0.5.1512: S 1879584306:1879584306(0) ack 3703297764 win 5792 <mss 1460,sackOK,timestamp 112914646 13281080,nop,wscale 2> 15:02:01.406828 IP 192.168.0.5.1512 > 204.176.49.2.www: . ack 1 win 5840 <nop,nop,timestamp 13281087 112914646> 15:02:01.410099 IP 192.168.0.5.1512 > 204.176.49.2.www: P 1:139(138) ack 1 win 5840 <nop,nop,timestamp 13281087 112914646> 15:02:01.410287 IP 204.176.49.2.www > 192.168.0.5.1512: . ack 139 win 1716 <nop,nop,timestamp 112914664 13281087> 15:02:01.413099 IP 204.176.49.2.www > 192.168.0.5.1512: . 1:1449(1448) ack 139 win 1716 <nop,nop,timestamp 112914665 13281087> 15:02:01.413223 IP 204.176.49.2.www > 192.168.0.5.1512: P 1449:1495(46) ack 139 win 1716 <nop,nop,timestamp 112914665 13281087> 15:02:01.418063 IP 192.168.0.5.1512 > 204.176.49.2.www: P 139:247(108) ack 1 win 5840 <nop,nop,timestamp 13281088 112914664> 15:02:01.419427 IP 204.176.49.2.www > 192.168.0.5.1512: F 1495:1495(0) ack 247 win 1716 <nop,nop,timestamp 112914667 13281088> 15:02:01.421103 IP 192.168.0.5.1512 > 204.176.49.2.www: . ack 1449 win 8688 <nop,nop,timestamp 13281089 112914665> 15:02:01.422990 IP 192.168.0.5.1512 > 204.176.49.2.www: . ack 1495 win 8688 <nop,nop,timestamp 13281089 112914665> 15:02:01.459512 IP 192.168.0.5.1512 > 204.176.49.2.www: . ack 1496 win 8688 <nop,nop,timestamp 13281093 112914667> 15:02:01.482410 IP 192.168.0.5.1512 > 204.176.49.2.www: F 247:247(0) ack 1496 win 8688 <nop,nop,timestamp 13281095 112914667> 15:02:01.482568 IP 204.176.49.2.www > 192.168.0.5.1512: . ack 248 win 1716 <nop,nop,timestamp 112914682 13281095> This is the iptables rule I have for the redirect: iptables -t nat -A PREROUTING -i 192.168.0.1 -p tcp --dport 80 -j REDIRECT --to-port 3128 Here is my squid.conf: http_port 192.168.0.1:3128 transparent hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache access_log /var/log/squid/access.log squid hosts_file /etc/hosts url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src 192.168.0.0/24 http_access allow our_networks http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all cache_mgr [EMAIL PROTECTED] visible_hostname gateway.cader.biz always_direct allow all coredump_dir /var/spool/squid Other clients are working for "normal" pages fine and squidGuard is working fine. I have tried to turn off squidGuard as well and it doesn't help. I have tried a dst acl: acl tivo dst 204.176.49.2 cache deny QUERY tivo This didn't help. This setup worked fine with 2.5 (with the correct 2.5 config file). -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable') Architecture: sparc (sparc64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages squid depends on: ii adduser 3.87 Add and remove users and groups ii coreutils 5.96-5 The GNU core utilities ii debconf [debconf-2.0] 1.5.2 Debian configuration management sy ii libc6 2.3.6-15 GNU C Library: Shared libraries ii libdb4.3 4.3.29-4.1 Berkeley v4.3 Database Libraries [ ii libldap2 2.1.30-13+b1 OpenLDAP libraries ii libpam0g 0.79-3.1 Pluggable Authentication Modules l ii logrotate 3.7.1-3 Log rotation utility ii lsb-base 3.1-10 Linux Standard Base 3.1 init scrip ii netbase 4.25 Basic TCP/IP networking system ii squid-common 2.6.1-3 Internet Object Cache (WWW proxy c squid recommends no packages. -- debconf information: squid/fix_cachedir_perms: false squid/largefiles_warning: squid/http_anonymizer: squid/anonymize_headers: squid/authenticate_program: * squid-cgi/cachemgr: squid/fix_lines: true squid/old_version: false -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
