# Squid Error : ERROR: No forward-proxy ports configured.

## JujuBickoille

Squid Error : ERROR: No forward-proxy ports configured.

Hi there,

I want to install on my Gentoo's box a squid server and redirect dport http to squid

it seem's to be easy to do, but I got a strange message in my cache.log

"kid1| ERROR: No forward-proxy ports configured."

My Network : 

---------------------- ---------------------- ---------------------- 

-	Wireless Network - -   Ethernet Network - -   VPN Network -

-   192.168.122.0/24 - -   192.168.101.0/24 - -   10.8.0.0/24 -

-	if : wifi		 - -	if : lan        - -	   if : tap0       -

---------------------- ---------------------- ----------------------

---------------------------------

-  Gentoo's Box                 -

-  ip : wan   109.x.x.1         -

-  ip : lan   192.168.101.1/24  -

-  ip : wifi   192.168.122.1/24 -

---------------------------------

My Iptables script ( I use juste for generate, when it's okay I use /etc/init.d/iptables save )

#!/bin/bash

### Some Variables ###

ROUTER_IP=109.x.x.1

ROUTER_NET=109.x.x.0/24

SERV_IP=109.x.x.15

LAN_IP=192.168.101.1

LAN_NET=192.168.101.0/24

WIFI_IP=192.168.122.1

WIFI_NET=192.168.122.0/24

#Custom Ports

VPN_PORT=1194

BITTORENT_PORT=1337

BITTORENT_DST="192.168.101.100"

SQUID_PORT=3128

### Flush ###

/sbin/iptables -F

/sbin/iptables -t nat -F

/sbin/iptables -t filter -F

/sbin/iptables -t mangle -F

/sbin/iptables -X

### Set Default Policy to DROP ###

/sbin/iptables -P INPUT DROP

/sbin/iptables -P OUTPUT DROP

/sbin/iptables -P FORWARD DROP

# loopback accept

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

### INPUT POLICY ###

echo Enable SSH + log

iptables -N WAN_INPUT

iptables -A WAN_INPUT -p TCP --dport ssh -j LOG --log-prefix 'WAN_SSH '

iptables -A WAN_INPUT -p TCP --dport ssh -j ACCEPT

echo OpenVPN

iptables -A WAN_INPUT -p TCP --dport ${VPN_PORT}  -j LOG --log-prefix "OpenVPN "

iptables -A WAN_INPUT -p TCP --dport ${VPN_PORT}  -j ACCEPT

echo Log and Drop SERVER INPUT

iptables -A WAN_INPUT -j LOG --log-prefix 'WAN_INPUT_DROP '

echo INPUT from LANs ( Ethernet and Wireless )

iptables -N LAN_INPUT

iptables -A LAN_INPUT -p UDP --dport domain -j ACCEPT

iptables -A LAN_INPUT -p TCP --dport 3128 -j ACCEPT

iptables -A LAN_INPUT -p TCP --dport ssh -j ACCEPT

iptables -A LAN_INPUT -p UDP --dport ntp -j ACCEPT

iptables -A LAN_INPUT -j LOG --log-prefix 'LAN_INPUT_DROP '

## Redirect new connexion to good chain

# Accept DHCP requests from Local

iptables -A INPUT -m conntrack --ctstate NEW ! -i wan -p UDP --dport bootps -j ACCEPT

# Incoming from wan

iptables -A INPUT -m conntrack --ctstate NEW -i wan -d ${SERV_IP}/32 -j WAN_INPUT

# Incoming from wireless and ethernet ( we don't open anything from VPN )

iptables -A INPUT -m conntrack --ctstate NEW -i lan -s ${LAN_NET} -j LAN_INPUT

iptables -A INPUT -m conntrack --ctstate NEW -i wifi -s ${WIFI_NET} -j LAN_INPUT

# We accept related / established 

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# We log anything rest ( usually commented )

iptables -A INPUT -j LOG --log-prefix 'INPUT_ALL_DROP '

### OUTPUT POLICY ###

iptables -N WAN_OUT

# I don't want server communicate with his subnetwork, except router ( not needed with public IP )

iptables -A WAN_OUT ! -d ${ROUTER_NET} -j ACCEPT

iptables -A WAN_OUT -d ${ROUTER_IP} -j ACCEPT

# I log anythings rest

iptables -A WAN_OUT -j LOG --log-prefix 'WAN_OUT_DROP '

# Add all OUTPUT to the WAN_OUT chain

iptables -A OUTPUT -o wan -j WAN_OUT

### LAN_OUTPUT : not really interesting

iptables -N LAN_OUT

iptables -A LAN_OUT -d ${LAN_NET} -j ACCEPT

iptables -A LAN_OUT -j LOG --log-prefix 'LAN_OUT_DROP '

iptables -N WIFI_OUTPUT

iptables -A WIFI_OUTPUT  -d ${WIFI_NET} -j ACCEPT

iptables -A WIFI_OUTPUT -j LOG --log-prefix 'WIFI_OUT_DROP '

iptables -A OUTPUT -o lan -j LAN_OUT

iptables -A OUTPUT -o wifi -j WIFI_OUTPUT

iptables -A OUTPUT -j LOG --log-prefix 'OUTPUT_ALL_DROP '

### NAT ###

# Permit internet forwards to LAN network ( except for wan network )

# same previeously, i don't want router talk with LANs

/sbin/iptables -A FORWARD -i wan ! -s ${ROUTER_NET} -o lan -d ${LAN_NET} -j ACCEPT

/sbin/iptables -A FORWARD -i wan ! -s ${ROUTER_NET} -o wifi -d ${WIFI_NET} -j ACCEPT

# and LANs talk with wan router

/sbin/iptables -A FORWARD -i lan -s ${LAN_NET} -o wan ! -d ${ROUTER_NET} -j ACCEPT

/sbin/iptables -A FORWARD -i wifi -s ${WIFI_NET} -o wan ! -d ${ROUTER_NET} -j ACCEPT

# This must be disabled ! we don't want wireless and ethernet talk togather

#/sbin/iptables -A FORWARD -i wifi -s 192.168.122.0/24 -o lan -d 192.168.101.0/24 -j ACCEPT

#/sbin/iptables -A FORWARD -o wifi -d 192.168.122.0/24 -i lan -s 192.168.101.0/24 -j ACCEPT

# We log failed

iptables -A FORWARD -j LOG --log-prefix 'FORWARD_DROP '

#Redirect Bittorent to BITTORENT_DST

iptables -t nat -A PREROUTING -p tcp --dport ${BITTORENT_PORT} -i wan -j DNAT --to ${BITTORENT_DST}

iptables -t nat -A PREROUTING -p udp --dport ${BITTORENT_PORT} -i wan -j DNAT --to ${BITTORENT_DST}

# Redirect http trafic to squid

iptables -t nat -A PREROUTING -p tcp --dport http -i lan -s ${LAN_NET} -j REDIRECT  --to-port ${SQUID_PORT}

iptables -t nat -A PREROUTING -p tcp --dport http -i wifi -s ${LAN_NET} -j REDIRECT  --to-port ${SQUID_PORT}

# Redirect LANs NTP Trafic to server

iptables -t nat -A PREROUTING -p udp --dport ntp -i lan -s ${LAN_NET} -j DNAT --to-destination ${LAN_IP}:123

iptables -t nat -A PREROUTING -p udp --dport ntp -i wifi -s ${LAN_NET} -j DNAT --to-destination ${WIFI_IP}:123

# Redirect LANs DNS Trafic to server

iptables -t nat -A PREROUTING -p udp --dport domain -i lan -s ${LAN_NET} -j DNAT --to-destination ${LAN_IP}:53

iptables -t nat -A PREROUTING -p udp --dport domain -i wifi -s ${LAN_NET} -j DNAT --to-destination ${WIFI_IP}:53

# Finally, SNATing NAT Trafic with Public IP - aka NAT to world 

/sbin/iptables -t nat -A POSTROUTING -o wan -j SNAT --to ${SERV_IP}

There is nothing of exceptionnal, I think

Now this is my squid conf

#

# Recommended minimum configuration:

#

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8	# RFC1918 possible internal network

acl localnet src 172.16.0.0/12	# RFC1918 possible internal network

acl localnet src 192.168.0.0/16	# RFC1918 possible internal network

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443

acl Safe_ports port 80		# http

acl Safe_ports port 21		# ftp

acl Safe_ports port 443		# https

acl Safe_ports port 70		# gopher

acl Safe_ports port 210		# wais

acl Safe_ports port 1025-65535	# unregistered ports

acl Safe_ports port 280		# http-mgmt

acl Safe_ports port 488		# gss-http

acl Safe_ports port 591		# filemaker

acl Safe_ports port 777		# multiling http

acl Safe_ports port 901		# SWAT

acl CONNECT method CONNECT

#

# Recommended minimum Access Permission configuration:

#

# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

# And finally deny all other access to this proxy

http_access deny all

# Squid normally listens to port 3128

#http_port 3128 intercept # I've try this too

http_port 3128 transparent

#http_port 3128

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:		1440	20%	10080

refresh_pattern ^gopher:	1440	0%	1440

refresh_pattern -i (/cgi-bin/|\?) 0	0%	0

refresh_pattern .		0	20%	4320

cache_mem 256 MB

half_closed_clients off

dns_nameservers 127.0.0.1 # I'm using my local DNSMASQ's DNS Server

visible_hostname 145.x.x.109.x.x.net # I got warning if I don't set it :X (or maybe add it to /etc/hosts

# WARNING: 'server' rDNS test failed: (0) No error.

# WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.

My Server is using a CF as HDD, so I don't want to cache on HDD ( I use 50% of avaible memory )

Everything seem to be okay, but I got this n my /var/log/squid/cache.log :

ERROR: No forward-proxy ports configured.

I've try to remove my iptables rule for redirect http -> 3128 and add manually in my webbrowser proxy and it seem to be good

but I prefer do it with a iptables rule for do it work without configuration

Maybe someone have idea ?

thanks

----------

