Join Log in
Score:0
HCSF avatar Server

Squid Proxy Server Not Accepting External Connection?

tr flag
HCSF

I am running squid 3.5.12 on Ubuntu.

I have the followings in /etc/squid/squid.conf

acl SSL_ports port 443
acl CONNECT method CONNECT
acl acl_allowed_ip src my.client.ip.address.com
http_access allow acl_allowed_ip
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

However, when I tried to telnet from the machine with my.client.ip.address.com, it just stuck there forever:

$ telnet my.squid.server.com 3128
Trying my.squid.server.com...
telnet: connect to address my.squid.server.com: Connection timed out

But if I telnet locally on my.squid.server.com, it works fine.

And I doubt checked that it is indeed the squid process listening to the port 3128:

# netstat -lp | grep 3128
tcp6       0      0 [::]:3128               [::]:*                  LISTEN      3142/(squid-1)

firewalld is not running:

# systemctl status firewalld
● firewalld.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

Any idea how this can be fixed?

====================

Update #1: output of iptables -nvL

Chain INPUT (policy ACCEPT 79M packets, 55G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  docker_gwbridge docker_gwbridge  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 114M packets, 18G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
177
0 + 0
drookie avatar
za flag
drookie
Have you tried to connect to your squid externally, like `telnet your.host.tld 3128` ? If you'll have *Connection refused* then you can examine the `iptables -nvL` output.
0
Reply
HCSF avatar
tr flag
HCSF
@drookie yes, on an external machine (`my.client.ip.address.com`), I tried to run `telnet my.squid.server.com 3128`, but it got `Connection timed out`
0
Reply
drookie avatar
za flag
drookie
Then it's packet filter.
0
Reply
HCSF avatar
tr flag
HCSF
@drookie updated my post with `iptables -nvL`'s output. It looks okay to me tho.
0
Reply
drookie avatar
za flag
drookie
Yeah. Are the client (and I mean non-local one) and the server located in the same subnet or both are located in WAN/different prefixes ? Is there some sort of external packet filter ?
0
Reply
HCSF avatar
tr flag
HCSF
@drookie I found the issue -- apparently the server a cloud instance needs a port forwarding. My bad. Should have spotted this by using a dummy TCP server. Sorry!
1
Reply
cn flag
shearn89
Feel free to post your solution as an answer so this gets flagged as an answered question and you get more rep!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.