Score:0

Squid Proxy Server Not Accepting External Connection?

tr flag

I am running squid 3.5.12 on Ubuntu.

I have the followings in /etc/squid/squid.conf

acl SSL_ports port 443
acl CONNECT method CONNECT
acl acl_allowed_ip src my.client.ip.address.com
http_access allow acl_allowed_ip
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

However, when I tried to telnet from the machine with my.client.ip.address.com, it just stuck there forever:

$ telnet my.squid.server.com 3128
Trying my.squid.server.com...
telnet: connect to address my.squid.server.com: Connection timed out

But if I telnet locally on my.squid.server.com, it works fine.

And I doubt checked that it is indeed the squid process listening to the port 3128:

# netstat -lp | grep 3128
tcp6       0      0 [::]:3128               [::]:*                  LISTEN      3142/(squid-1)  

firewalld is not running:

# systemctl status firewalld
● firewalld.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

Any idea how this can be fixed?

====================

Update #1: output of iptables -nvL

Chain INPUT (policy ACCEPT 79M packets, 55G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  docker_gwbridge docker_gwbridge  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 114M packets, 18G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
drookie avatar
za flag
Have you tried to connect to your squid externally, like `telnet your.host.tld 3128` ? If you'll have *Connection refused* then you can examine the `iptables -nvL` output.
HCSF avatar
tr flag
@drookie yes, on an external machine (`my.client.ip.address.com`), I tried to run `telnet my.squid.server.com 3128`, but it got `Connection timed out`
drookie avatar
za flag
Then it's packet filter.
HCSF avatar
tr flag
@drookie updated my post with `iptables -nvL`'s output. It looks okay to me tho.
drookie avatar
za flag
Yeah. Are the client (and I mean non-local one) and the server located in the same subnet or both are located in WAN/different prefixes ? Is there some sort of external packet filter ?
HCSF avatar
tr flag
@drookie I found the issue -- apparently the server a cloud instance needs a port forwarding. My bad. Should have spotted this by using a dummy TCP server. Sorry!
cn flag
Feel free to post your solution as an answer so this gets flagged as an answered question and you get more rep!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.