Squid Proxy Server Not Accepting External Connection?

Question

I am running squid 3.5.12 on Ubuntu.

I have the followings in /etc/squid/squid.conf

acl SSL_ports port 443
acl CONNECT method CONNECT
acl acl_allowed_ip src my.client.ip.address.com
http_access allow acl_allowed_ip
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

However, when I tried to telnet from the machine with my.client.ip.address.com, it just stuck there forever:

$ telnet my.squid.server.com 3128
Trying my.squid.server.com...
telnet: connect to address my.squid.server.com: Connection timed out

But if I telnet locally on my.squid.server.com, it works fine.

And I doubt checked that it is indeed the squid process listening to the port 3128:

# netstat -lp | grep 3128
tcp6       0      0 [::]:3128               [::]:*                  LISTEN      3142/(squid-1)

firewalld is not running:

# systemctl status firewalld
● firewalld.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

Any idea how this can be fixed?

====================

Update #1: output of iptables -nvL

Chain INPUT (policy ACCEPT 79M packets, 55G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  docker_gwbridge docker_gwbridge  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 114M packets, 18G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Have you tried to connect to your squid externally, like `telnet your.host.tld 3128` ? If you'll have *Connection refused* then you can examine the `iptables -nvL` output. — drookie, Feb 08 '22 at 07:26
@drookie yes, on an external machine (`my.client.ip.address.com`), I tried to run `telnet my.squid.server.com 3128`, but it got `Connection timed out` — HCSF, Feb 08 '22 at 08:36
@drookie updated my post with `iptables -nvL`'s output. It looks okay to me tho. — HCSF, Feb 10 '22 at 02:11
Yeah. Are the client (and I mean non-local one) and the server located in the same subnet or both are located in WAN/different prefixes ? Is there some sort of external packet filter ? — drookie, Feb 10 '22 at 04:51
@drookie I found the issue -- apparently the server a cloud instance needs a port forwarding. My bad. Should have spotted this by using a dummy TCP server. Sorry! — HCSF, Feb 10 '22 at 07:55
Feel free to post your solution as an answer so this gets flagged as an answered question and you get more rep! — shearn89, Feb 14 '22 at 09:29

Squid Proxy Server Not Accepting External Connection?

0 Answers0