# Iptables+squid+https+adls=problem

## mungo_k

Problem: cannot connect to gmail. I think this is because my router on gentoo works with adsl modem (MTU size 1400, 1500 on lan).

I read http://www.gentoo.org/doc/en/home-router-howto.xml and just copy all instructions.

When I set proxy in my browser to squid port 3128, it works.

But works only in squid 3.1. In 3.2 squid fails to start with my config.

Any help?

----------

## truc

How do you want us to help you? What are the errors? Check the log!

Also, for PMTU, be sure not to filter excessively ICMP messages.

----------

## 666threesixes666

i just populated some squid stuff on wiki.gentoo.org....  can you get gmail with out squid?  

maybe

```

dig gmail.com

```

then

```

dig google.com

```

im getting it fine with manual browser proxy configuration 127.0.0.1:3128 for all protocols.

i did no editing to /etc/squid/squid.conf.....

if those fail, try on the actual server to turn iptables off and then re dig both  if that fails, turn squid and ip tables off....  basically dial down the complexity of your problem, then start to dial it up again to find your point of failure.

----------

## PaulBredbury

 *mungo_k wrote:*   

> cannot connect to gmail

 

Maybe the current openssl connection bug.

----------

## mungo_k

About squid: with default config (comes with new squid) it just report to user with proxy set that it cannot show the page due to permissions. When proxy in browser doesn't set, it works for http.

Old config in 3.2 not work at all. Squid can't start, say, "manager already set". My squid.conf was 200 kb due to comments. Well, clear version:

```
acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl windowsupdate dstdomain windowsupdate.microsoft.com

acl windowsupdate dstdomain .update.microsoft.com

acl windowsupdate dstdomain download.windowsupdate.com

acl windowsupdate dstdomain redir.metaservices.microsoft.com

acl windowsupdate dstdomain images.metaservices.microsoft.com

acl windowsupdate dstdomain c.microsoft.com

acl windowsupdate dstdomain www.download.windowsupdate.com

acl windowsupdate dstdomain wustat.windows.com

acl windowsupdate dstdomain crl.microsoft.com

acl windowsupdate dstdomain sls.microsoft.com

acl windowsupdate dstdomain productactivation.one.microsoft.com

acl windowsupdate dstdomain ntservicepack.microsoft.com

acl localnet src 192.168.1.0/24

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl Safe_ports port 901 # SWAT

acl purge method PURGE

acl CONNECT method CONNECT

acl wuCONNECT dstdomain www.update.microsoft.com # multiling http

acl wuCONNECT dstdomain sls.microsoft.com # SWAT

acl hlv dstdomain "/etc/squid/gs.txt"

acl   GoodComps src "/etc/squid/gc.txt"

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access allow CONNECT wuCONNECT localnet

http_access allow windowsupdate localnet

http_access allow hlv

http_access allow GoodComps

http_access deny all

icp_access allow localnet

icp_access deny all

http_port 3128 transparent

https_port 3128 transparent key=/etc/squid/key.pem cert=/etc/squid/certificate.pem

hierarchy_stoplist cgi-bin ?

cache_mem 1 GB

cache_dir ufs /var/cache/squid 8192 16 256 

maximum_object_size 512 MB

coredump_dir /var/cache/squid

url_rewrite_program /usr/bin/squidGuard

url_rewrite_children 15

url_rewrite_access deny localhost

url_rewrite_access deny SSL_ports

refresh_pattern ^ftp:      1440   20%   10080

refresh_pattern ^gopher:   1440   0%   1440

refresh_pattern -i (/cgi-bin/|\?) 0   0%   0

refresh_pattern .      0   20%   4320

quick_abort_min -1 KB

range_offset_limit -1

```

And of course iptables rules:

```
# Generated by iptables-save v1.4.16.3 on Tue Feb 19 17:30:42 2013

*mangle

:PREROUTING ACCEPT [2085892933:1332602786724]

:INPUT ACCEPT [1055375193:702204536694]

:FORWARD ACCEPT [1029724121:630203068655]

:OUTPUT ACCEPT [1214883374:537016737047]

:POSTROUTING ACCEPT [2194084094:1164799323692]

COMMIT

# Completed on Tue Feb 19 17:30:42 2013

# Generated by iptables-save v1.4.16.3 on Tue Feb 19 17:30:42 2013

*nat

:PREROUTING ACCEPT [123368:9283729]

:INPUT ACCEPT [95312:5939063]

:OUTPUT ACCEPT [33085:2190534]

:POSTROUTING ACCEPT [903:78442]

:MINIUPNPD - [0:0]

[15564:764440] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

[75644:6208874] -A POSTROUTING -o ppp0 -j MASQUERADE

COMMIT

# Completed on Tue Feb 19 17:30:42 2013

# Generated by iptables-save v1.4.16.3 on Tue Feb 19 17:30:42 2013

*filter

:INPUT ACCEPT [5123341:4527601844]

:FORWARD DROP [114:5512]

:OUTPUT ACCEPT [5968890:1619465226]

:MINIUPNPD - [0:0]

[9424:1673166] -A INPUT -i lo -j ACCEPT

[404579:57419526] -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 21,22,80,443,1723,3128,10000 -j ACCEPT

[0:0] -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 25,53,110,587,993,5190 -j ACCEPT

[5887:367969] -A INPUT -i eth0 -p udp -m udp -m multiport --dports 53,123 -j ACCEPT

[3:168] -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j DROP

[0:0] -A INPUT -i ppp0 -p tcp -m tcp -m multiport --dports 137,138,139 -j DROP

[0:0] -A INPUT -i ppp0 -p udp -m udp -m multiport --dports 137,138,139 -j DROP

[0:0] -A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP

[2417885:561406042] -A FORWARD -s 192.168.1.21/32 -i eth0 -j ACCEPT

[3545280:3070218779] -A FORWARD -d 192.168.1.0/24 -i ppp+ -j ACCEPT

[314262:15057257] -A FORWARD -s 192.168.1.32/32 -i eth0 -j ACCEPT

[12794:960244] -A FORWARD -s 192.168.1.19/32 -i eth0 -j ACCEPT

[5321:479643] -A FORWARD -s 192.168.1.25/32 -i eth0 -j ACCEPT

[0:0] -A FORWARD -s 192.168.1.35/32 -i eth0 -j ACCEPT

[0:0] -A FORWARD -s 192.168.1.5/32 -i eth0 -j ACCEPT

[7391:480286] -A FORWARD -s 192.168.1.2/32 -i eth0 -j ACCEPT

[1062:77458] -A FORWARD -i eth0 -o ppp0 -p tcp -m tcp -m multiport --dports 123,5190 -j ACCEPT

[4:304] -A FORWARD -i eth0 -o ppp0 -p udp -m udp -m multiport --dports 123,5190 -j ACCEPT

[447:182924] -A FORWARD -s 192.168.1.3/32 -i eth0 -j ACCEPT

[552:39598] -A FORWARD -s 192.168.1.18/32 -i eth0 -j ACCEPT

[248:37429] -A FORWARD -s 192.168.1.64/26 -i eth0 -j ACCEPT

[566:27793] -A FORWARD -s 192.168.1.27/32 -i eth0 -j ACCEPT

[107:12197] -A FORWARD -s 192.168.1.29/32 -i eth0 -j ACCEPT

[3527:366668] -A FORWARD -s 192.168.1.14/32 -i eth0 -j ACCEPT

[12708:1808586] -A FORWARD -s 192.168.1.30/32 -i eth0 -j ACCEPT

[23:1016] -A FORWARD -s 192.168.1.15/32 -i eth0 -j ACCEPT

[4234:396860] -A FORWARD -s 192.168.1.8/32 -i eth0 -j ACCEPT

[0:0] -A FORWARD -s 192.168.1.12/32 -i eth0 -j ACCEPT

[173:12652] -A FORWARD -s 192.168.1.6/32 -i eth0 -j ACCEPT

[8758:673910] -A FORWARD -s 192.168.1.28/32 -i eth0 -j ACCEPT

COMMIT

# Completed on Tue Feb 19 17:30:42 2013

```

----------

## mungo_k

Can anyone help me with?

----------

## truc

add a log target and monitor your firewall log.

Also, does it work from the router? (you can use use ssh -D9999 router, from a host on your LAN, then from your browser try to go to gmail using the socks proxy localhost:9999

Oh, just notice you have a transparent proxy configured, does the problem also happen when you configure your browser to use(explicitely!) this proxy?

----------

## mungo_k

From server it works ok in any case - gmail opens easy.

The problem is only when browser on client machine is NOT configured to use proxy.

----------

## truc

Then, it's probably as you say in the beginning, something related to the MTU and the MSS, first, this should not happen if ICMP is not blindly dropped, but the problem might not come from your firewall(but check it anyway!), in that case, check iptables manual or the net for how to use the --clamp-mss-to-mtu, this should fix your problem hopefully!

----------

