wmlex Posted March 11, 2015 Report Share Posted March 11, 2015 Здравствуйте! Помогите решить проблему. Есть VPN сервер под управлением CentOS 6. На нем уже подняты и работают службы squid, openvpn, pptp. Squid работает в режиме прозрачного прокси и пользователи подключившиеся к серверу ходят через него. Сейчас пытаюсь настроить ipsec (strongswan), но в процессе настройки возникла проблема. Если в iptables включен просто nat, без перенаправления 80 порта на squid, сайты по http и https открываются, а если я заворачиваю 80 порт то http не работает только https. Проблема как я предполагаю в squid, только найти ее самостоятельно у меня не получилось, поэтому прошу вашей помощи. Linux vpn 2.6.32-504.8.1.el6.i686 #1 SMP Wed Jan 28 18:25:26 UTC 2015 i686 i686 i386 GNU/Linux squid Squid Cache: Version 3.4.10configure options: '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu' '--target=i686-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--with-large-files' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--without-nettle' 'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu' 'target_alias=i686-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables -fPIC' 'PKG_CONFIG_PATH=/usr/lib/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience iptables -A PREROUTING -s 10.9.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3127-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j SNAT --to-source xxx.xxx.xxx.xxx-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH-A INPUT -i lo -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT-A INPUT -p esp -j ACCEPT-A INPUT -p ah -j ACCEPT-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m comment --comment "SSH" -j ACCEPT-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m comment --comment "HTTP" -j ACCEPT-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m comment --comment "HTTPs" -j ACCEPT-A INPUT -p tcp -m tcp --dport 1194 -m comment --comment "OpenVPN" -j ACCEPT-A INPUT -i ppp+ -p tcp -m tcp --dport 3128 -m comment --comment "Squid" -j ACCEPT-A INPUT -i tun0 -p tcp -m tcp --dport 3128 -m comment --comment "Squid" -j ACCEPT-A INPUT -i ipsec+ -p tcp -m tcp --dport 3128 -m comment --comment "Squid" -j ACCEPT-A INPUT -i ppp+ -p tcp -m tcp --dport 3127 -m comment --comment "Squid-Transparent" -j ACCEPT-A INPUT -i tun0 -p tcp -m tcp --dport 3127 -m comment --comment "Squid-Transparent" -j ACCEPT-A INPUT -i ipsec+ -p tcp -m tcp --dport 3127 -m comment --comment "Squid-Transparent" -j ACCEPT-A INPUT -p tcp -m tcp --dport 1723 -m comment --comment "PPTP" -j ACCEPT-A INPUT -p udp -m udp --dport 1194 -m comment --comment "OpenVPN" -j ACCEPT-A INPUT -p udp -m udp --dport 500 -m comment --comment "IPSec" -j ACCEPT-A INPUT -p udp -m udp --dport 4500 -m comment --comment "IPSec" -j ACCEPT-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A FORWARD -p icmp -j ACCEPT-A FORWARD -i ppp+ -o eth0 -j ACCEPT-A FORWARD -i eth0 -o ppp+ -j ACCEPT-A FORWARD -i tun0 -o eth0 -j ACCEPT-A FORWARD -i eth0 -o tun0 -j ACCEPT-A FORWARD -i tun0 -o ppp+ -j ACCEPT-A FORWARD -i ppp+ -o tun0 -j ACCEPT-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -o lo -j ACCEPT-A OUTPUT -p icmp -j ACCEPT-A OUTPUT -p esp -j ACCEPT-A OUTPUT -p ah -j ACCEPT-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT-A OUTPUT -p udp -m udp --sport 500 -j ACCEPT-A OUTPUT -p tcp -m tcp --sport 1194 -j ACCEPT-A OUTPUT -p udp -m udp --sport 1194 -j ACCEPT-A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT-A OUTPUT -p tcp -m tcp --sport 32768:61000 -j ACCEPT-A OUTPUT -p udp -m udp --sport 32768:61000 -j ACCEPT squid.conf #----------------------------------------------------------------acl localnet src 10.9.0.0/24acl office_hours time 00:00-24:00#----------------------------------------------------------------acl SSL_ports port 443 # httpsacl SSL_ports port 563 # snewsacl SSL_ports port 873 # rsync#----------------------------------------------------------------acl Safe_ports port 21 # ftpacl Safe_ports port 25 # smtpacl Safe_ports port 70 # gopheracl Safe_ports port 80 # httpacl Safe_ports port 210 # waisacl Safe_ports port 280 # http-mgmtacl Safe_ports port 443 # httpsacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 631 # cupsacl Safe_ports port 777 # multiling httpacl Safe_ports port 873 # rsyncacl Safe_ports port 901 # SWATacl Safe_ports port 1025-65535 # unregistered portsacl purge method PURGEacl CONNECT method CONNECT#----------------------------------------------------------------http_port 10.9.0.1:3127 intercepthttp_port 10.9.0.1:3128#----------------------------------------------------------------always_direct allow all#----------------------------------------------------------------acl adblock url_regex "/etc/squid/adblock.acl"acl adblock-android dstdomain "/etc/squid/adblock-android.conf"#acl goodsites dstdomain "/etc/squid/allowed-sites.conf"#acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl"#----------------------------------------------------------------http_access deny !Safe_portshttp_access deny CONNECT !SSL_ports#http_access allow localnet Safe_ports#----------------------------------------------------------------#http_access deny pptp badsites#http_access allow pptp goodsites#http_access deny pptphttp_access allow localnet CONNECThttp_access deny localnet adblockhttp_access deny localnet adblock-androidhttp_access allow localnet office_hours#----------------------------------------------------------------http_access deny allicp_access allow localneticp_access deny all#----------------------------------------------------------------hierarchy_stoplist cgi-bin ?#----------------------------------------------------------------access_log stdio:/var/log/squid/access.log squidcache_log /var/log/squid/cache.logcache_store_log stdio:/var/log/squid/store.logpid_filename /var/run/squid.piddebug_options ALL,1#----------------------------------------------------------------refresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern -i (/cgi-bin/|\?) 0 0% 0refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880refresh_pattern . 0 20% 4320acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]acl apache rep_header Server ^Apache#----------------------------------------------------------------hosts_file /etc/hostscoredump_dir /var/spool/squiderror_directory /usr/share/squid/errors/ru-rucache_dir ufs /var/spool/squid 100 16 256shutdown_lifetime 5 seconds ipsec.conf # ipsec.conf - strongSwan IPsec configuration file# basic configurationconfig setup # strictcrlpolicy=yes # uniqueids = no# Add connections here.# Sample VPN connectionsconn %default dpdaction=clear dpddelay=35s dpdtimeout=200s fragmentation=yes # left - local (server) side left=%any leftauth=pubkey leftcert=vpn.crt leftsendcert=always leftsubnet=0.0.0.0/0 # right - remote (client) side right=%any rightauth=pubkey rightsourceip=10.9.0.128/25 rightdns=77.88.8.88,8.8.8.8conn ikev2-pubkey keyexchange=ikev2 auto=addconn ikev1 keyexchange=ikev1 rightauth2=xauth auto=addconn ikev2-eap-tls also="ikev2-pubkey" rightauth=eap-tls eap_identity=%identity Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.