Firewall Problem

[zAm]

Hello Guys ,
I am having a problem with our internet cable network. we'r using Linux Redhat Fedora Core 3 as a gateway with Squid Proxy Server & IPtables firewall & other 2 servers , one is ISA Server for Browsing & the another one is for socks . the problem is that linux is forwarding all the SSL sites to our socks server that we don't want. we setup socks server to listen only for Instant Messengers .. can somebody tell me how could i resolve this issue.
Regards,
zAm (Lyarianz Internet Cable Network - Network Administrator)

[LinuxFreaK]

Dear zAm,
Salam,

FYI, http://www.linuxpakistan.net/forum2x/vi ... php?t=3772

Best Regards.

[zAm]

Dear zAm,
Salam,

FYI, http://www.linuxpakistan.net/forum2x/vi ... php?t=3772

Best Regards.

Hello,
Farrukh .... i read all the posts .. i think the better one for me is to re-compile squid with --enable-ssl because our Linux Administrator just copy paste the entire squid directory ... or maybe he uses the rpm package .... i think that --enable-ss option is not integrated with squid rpm package.we'r using "squid-2.5.STABLE11-1.FC3" .. so should i re-compile with --enable-ssl & then backup my current existing squid.conf in /etc/squid/ , i hope that won't create any problems ... i'm hesistating to do this because we'r running a large network ... & i don't want to disturb them .... but i really need to fix my problem ... when i use manual proxy in IE so the ssl works from the same browsing server but when using without proxy it tries to access from the socks server .... ? so what you would recommend me ? re-compiling squid with --enable-ssl ? Sorry for bugging you alot... Thanks for being so helpful
Regards,
zAm (Lyarianz Internet Cable Network)

[LinuxFreaK]

Dear zAm,
Salam,

Then Install Linux on another machine and test it few clients

Best Regards.

[zAm]

Hello,
Farrukh.. hehe nice idea ! , but that would take alot of time ......
if there is not any problem to re-compiling squid so i should go for it ........... ?
Regards,
zAm (Lyarianz Internet Cable Network)

[LinuxFreaK]

Dear zAm,
Salam,

Your Wish

Best Regards.

[zAm]

Hello,
Farrukh ...my problem turns another way ... i thought that could be the problem of re-compiling squid with --enable-ssl . but i think that wouldn't help me out ... because i can access https webpaeges while using proxy in IE , but why shouldn't it works without proxy .. all the websites (80) works fine without proxy then why doesn't these https, ssl sites ? i remove the port 443 from safe_port ACL from my squid.conf but it doesn't helped me yet ... what else do i need to change ? if you don't mind so may i send u my iptables file & squid configuration file to your inbox , to have a look over & check what's happening ? help me out , i'm really pissed off due to this bad sticky problem ...
Regards,
zAm (Lyarianz Internet Cable Network)

[LinuxFreaK]

Dear zAm,
Salam,

Not a proper way but might help you.

# iptables -t nat -A PREROUTING -s LANIP -p tcp --dport 443 -j REDIRECT --to-port SUQIDPORT

Best Regards.

[zAm]

Hello,
LinuxFreak......... now you must looking for me to kill me after knowing that my problem still exists :p hehe ... i am really pissed off now for this sticky problem ......
here's my squid & iptables configurations files ....
please check out these & suggest me what to do , which really works ......
thanks
Regards,
zAm (Lyarianz Internet Cable Network)

[LinuxFreaK]

Dear zAm,
Salam,

Edit your squid.conf and change following line.

Code: Select all

http_access allow CONNECT !SSL_ports

TO

Code: Select all

http_access allow CONNECT SSL_ports

Best Regards.

[zAm]

Hello,
LinuxFreak, well whatever you told me to change in squid.conf , doesn't make a sense because i could access httpS webpages while using Proxy in IE , as i could see ..... it's all about Transparent Proxying which is done with port 80 --to-port 8080 (squid box port) ... it's working fine but it's not working with another port like 443 which u told me before to ....
anyway's i edit the following line
"http_access allow CONNECT !SSL_ports"
TO
"http_access allow CONNECT SSL_ports"
but still the problem exists .... have u tried transparent proxying with port 443 ?? does it works to you ? anyway's thanks alot for helping me out .. i must find a good Linux Administrator for our network ........ hope i got one sooon ..... thanks once again for your kind replies ........ take care buddy ......... Allah Hafiz
Regards,
zAm (Lyarianz Internet Cable Network)