1

I want to filter all of my internet (http & https) connections using a whitelist.

I heard about squid, so I started trying to run it. I found two main tutorials:

https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

https://docs.diladele.com/tutorials/transparent_proxy_debian/iptables.html#redirect-http-and-https-traffic

And a video: https://www.youtube.com/watch?v=Bogdplu_lsE

First I install the squid4 AUR package (Arch Linux), I build it with enabling

--with-openssl \
--enable-ssl-crtd \

I edit the config file (/etc/squid/squid.conf) and I add:

# add a custom blocking rule:
acl block_websites dstdomain .org .io
http_access deny block_websites

http_port 3128 intercept
https_port 3129 intercept ssl-bump \
    cert=/etc/squid/ssl_cert/myCA.pem \
    generate-host-certificates=on \
    dynamic_cert_mem_cache_size=4MB
http_port 3127 ssl-bump \
    cert=/etc/squid/ssl_cert/myCA.pem \
    generate-host-certificates=on \
    dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

To generate the SSL certificates (for https filtering), I'm doing:

cd /etc/squid/ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem
openssl x509 -in myCA.pem -outform DER -out myCA.der
# now add myCA.der to firefox
sudo /usr/lib/squid/security_file_certgen -c -s /var/lib/ssl_db -M 4MB

Then I use iptables to divert everything:

sudo iptables -A INPUT -j ACCEPT -p tcp --dport 3128
sudo iptables -A INPUT -j ACCEPT -p tcp --dport 3129
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:3129

Corresponding iptables-save

*filter
:INPUT DROP [8:936]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3129 -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [8:936]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination :3128
-A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination :3129
COMMIT

Finally I enable squid:

sudo systemctl enable squid

But this does not work (firefox tells me 'We can't connect to the server at..'). What am I doing wrong?

  • I am not familiar with squid. Does the `http_port 3127 ssl-bump` entry make sense? – Hauke Laging Apr 23 '20 at 22:04
  • Yes, please see here: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Squid_Configuration_File –  Apr 23 '20 at 22:10

3 Answers3

1

Sorry, wrong answer due to misunderstanding. I haven't deleted it because of the comments yet.

Hauke Laging
  • 5,285
  • 2
  • 24
  • 40
  • I made this change, but it still won't make it run, I still get a connection error when visiting a website.`systemctl status squid` gives me these messages: **squid[62096]:** `Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 23 flags=41` **squid[62096]:** `Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 24 flags=41` **squid[62096]:** `Accepting SSL bumped HTTP Socket connections at local=[::]:3127 remote=[::] FD 25 flags=9` –  Apr 23 '20 at 21:54
  • I am sorry, I mixed up inbound and outbound traffic. Connections initiated by you can be redirected to the loopback interface, of course; you have to change that back. Is squid running? `ss -46ln | grep :312` Can you connect to it? `telnet localhost 3128` – Hauke Laging Apr 23 '20 at 22:01
  • The first command shows me all 3 ports: 3127, 3128, 3129. `tcp LISTEN 0 256 *:312x *:*` The second stalls at `Trying ::1...` –  Apr 23 '20 at 22:07
  • Is `iptables -A INPUT -j ACCEPT -p tcp --dport 3128` still active? Add the outputs of `iptables -nvL` and `iptables -t nat -nvL` to your question. Maybe `PREROUTING` doesn't get locally created packets. Try `OUTPUT` instead (or in addition). – Hauke Laging Apr 23 '20 at 22:12
  • I updated my question. I tried adding OUTPUT rules `sudo iptables -A OUTPUT -j ACCEPT -p tcp --dport 80` & `..443` with and without INPUT. Nothing changed, firefox still shows 'We can’t connect to the server at..' –  Apr 23 '20 at 22:29
  • `iptables -t nat -nvL` is better than `iptables-save` because of the counters: You can see there whether a rule has matched anything. That would tell whether to use `PREROUTING` or `OUTPUT`. And there may be an IPv6 problem. So instead of `telnet localhost 3128` try `telnet 127.0.0.1 3128` – Hauke Laging Apr 23 '20 at 22:33
  • Btw all of my ip6tables chains are empty and all policies set to DROP. Does this have any effect? I'll try allow them now. –  Apr 23 '20 at 22:36
  • Enabling ip6tables makes it work, because packets are received in ipv6. I made a mistake earlier with the output rules. I tried all of: `sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:3128`,`sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128`,`sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-port 3128`,`sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128` With and without PREROUTING without any effect. Actually some packets pass through, but webpages are not shown in firfx –  Apr 23 '20 at 22:52
  • `telnet 127.0.0.1 3128` works when squid server is running. –  Apr 23 '20 at 22:53
  • @light9876 And does the browser work now? If `telnet 127.0.0.1 80` and `telnet 127.0.0.1 443` work but the browser does not, then I would guess it is not a networking problem but in the squid config. – Hauke Laging Apr 23 '20 at 23:35
  • When squid is running, but iptables is not set, `telnet 127.0.0.1 3128` works. When everything is set it does not work, nor does `telnet 127.0.0.1 443` nor `telnet 127.0.0.1 80` –  Apr 24 '20 at 06:26
  • @light9876 So what is the current setting, `PREROUTING` or `OUTPUT`? – Hauke Laging Apr 27 '20 at 21:32
0

Autodetection of the system proxy with Firefox isn't always a given. Set it manually. May or may not be the issue, but good to know.

John Scott
  • 19
  • 2
0

Somebody answered exactly my question on youtube using e2guardian:

https://www.youtube.com/watch?v=jPqjEgF49Uo

This is a 2 months tested answer, and if you configure it correctly, it is %100 effective.