1. Store
  2. Apps
  3. Hardware
  4. Support
  5. Solutions

ClearFoundation

Forums
Welcome, Guest
ClearFoundation
Network
Proxy and Content Filtering
Troubles with an ip site
(1 viewing) 1 Guest
Go to bottomPage: 12
TOPIC: Troubles with an ip site
#41099
Re:Troubles with an ip site 1 Year ago  
You have a typo in your rules which is why I always recommend trying them at the command line so you can see the error messages. Can you change -dport to --dport?
Nick Howitt
Platinum Boarder
Posts: 4146
graphgraph
User Online Now Click here to see the profile of this user
The administrator has disabled public write access.
 
#41102
Re:Troubles with an ip site 1 Year ago  
Hello,

Friends, I'm really desperate, my clearos 5.2 is blocking a site that uses HTTPS protocol and a non-standar port.

I've add the port 8443 on the incoming and outgoing rules of the firewall, I've add de IP of the site in the Proxy and content-filter exceptions, I've add those rules on /etc/rc.d/rc.firewall.local

iptables -A INPUT --src XXX.XXX.XXX.XXX -p tcp --sport 8443 -j ACCEPT
iptables -A INPUT --src XXX.XXX.XXX.XXX -p udp --sport 8443 -j ACCEPT

But I can't access to the site _XXX.XXX.XXX.XXX:8443/charge, I was reviewing the acces.log file of de squid, and I see that the error is:

1336494524.922 0 192.168.xxx.xxx TCP_DENIED/403 857 CONNECT xxx.xxx.xxx.xxx:8443 - NONE/- text/html

Anyone can give an idea to solve this problem?

Thanks for all
Marco Malán
Junior Boarder
Posts: 39
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#41135
Re:Troubles with an ip site 1 Year ago  
Did you update the ACLs in squid to allow port 8443?

See below for the section in squid that needs to be updated... you will need similar entries as that for port 443... note mine below is changed from a 'vanilla' CC config file...
Code:

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.0/8
# webconfig: acl_start
acl webconfig_lan src 192.168.0.0/22 202.81.18.30
acl webconfig_to_lan dst 192.168.0.0/22
# webconfig: acl_end
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl SSL_ports port 81 83 10000
acl Safe_ports port 80          # http
acl Safe_ports port 8008        # http-alt
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 81 82 83 10000    # Web-based administration tools
acl CONNECT method CONNECT
Tony Ellis
Platinum Boarder
Posts: 1048
graphgraph
User Offline Click here to see the profile of this user
Last Edit: 2012/05/08 19:18 By track.Reason: typos
The administrator has disabled public write access.
grassmere-productions.no-ip.biz
  
#41157
Re:Troubles with an ip site 1 Year ago  
Tony!

You was my salvation!,

your answer was the solutions, I did add the port at the SSL_ports list and this opened the site.

Thanks again
Marco Malán
Junior Boarder
Posts: 39
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#41206
Re:Troubles with an ip site 1 Year ago  
@Tony,
Clearly your solution has worked, but if the site is whitelisted, and squid bypassed for that IP/port in iptables, do you know why you needed your solution as well? Do you think there was more port 8443 traffic to different IP's or something else?
Nick Howitt
Platinum Boarder
Posts: 4146
graphgraph
User Online Now Click here to see the profile of this user
The administrator has disabled public write access.
 
#41207
Re:Troubles with an ip site 1 Year ago  
Sorry Nick - I wasn't following closely this, or any indeed any other thread for that mater in ClearOS recently... far too busy at work with database and system migrations...

Clearly Squid was not being bypassed, as squid was objecting to the traffic it was being asked to handle for which it didn't have an ACL. I don't have time to analyse the iptables rules, indeed I consider it is impossible without seeing all the iptables entries listed - order for instance is important - and I didn't notice a complete list anyway when I rather quickly scanned the thread...

So the quick and simple solution since squid was the blocking agent from the log extract provided - was to change squid to allow the traffic...

Feel free to work with the OP as to why iptables wasn't doing the job... I didn't even look as his connection configuration - or indeed know whether it was clearly explained... I didn't read that far... just saw a plea for help and recognised an option for a quick fix in his append just before mine - I know I'm not veing very helpful - sorry
Tony Ellis
Platinum Boarder
Posts: 1048
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
grassmere-productions.no-ip.biz
  
Go to topPage: 12
Moderators: Dave Loper, Peter Baldwin, Piotr Smalira, Tim Burgess
  get the latest posts directly to your desktop