Posted in Linux Proxy Security

Squid cache manager error : socket: (13) Permission denied

July 12, 2007 - 8 comments

If you get the error

socket: (13) Permission denied

while trying to connect to the cache manager of Squid using cachemgr.cgi, it probably means SElinux is enabled and is preventing cgi files from making TCP connections.

Quick and dirty fix : disabling SElinux

Edit /etc/sysconfig/selinux

Change the value SELINUX to “disabled”

Clean fix : make a rule in SElinux to allow the connection

I don’t know much about SElinux yet, so if someone feels like pointing me to the right direction or submitting something, it is welcomed :)

Comments

Anas Alnffar

January 31, 2008 - 8:50

Hello Dear …
Actually I have Squid 2.6 in RedHat linux 5 …
every thing working with me good … just POP3 & SMTP still not connect … also if I have to put Squid IP is Gateway of my Pc … to connect direct without configure Proxy LAN in IE6.0 … how I can do this 2 points

Thank you for help

Sébastien Wains

January 31, 2008 - 11:50

Hi

I really don’t know much about Windows.
I actually think the “Internet Settings” thing in Internet Explorer is the system-wide option. You know how things in Windows are all tied up. If you set up your Proxy LAN in there, things like explorer or MSN will go through the proxy. I really can be wrong about it though, I’ve dumped Windows a while ago.

As to your problem with POP and SMTP.. Please provide more details, this could be anything (firewall, SElinux, etc.). Check your logs maybe ?

Regards

Anas Alnffar

February 2, 2008 - 16:23

Dear friend …

Actually I just finished from configure transparent proxy … and used steps in this link http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html#comment-142719
every thing working well with me … just I’m facing problem in access.log … when I put the Squid Server IP address as Router/Gateway. nothing appear in access.log, but when I setup up individual browsers to work with proxies, the loges store in access.log, please could you help me where I can find access.log in transparent proxy mode

Anas Alnffar

February 2, 2008 - 16:31

Dear friend

I did this Configuration,that I send before on last email(link).
but still facing problem in access.log

* Step #1 : Squid configuration so that it will act as a transparent proxy
* Step #2 : Iptables configuration
o a) Configure system as router
o b) Forward all http requests to 3128 (DNAT)
* Step #3: Run scripts and start squid service

First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf

Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan

Where,

* httpd_accel_host virtual: Squid as an httpd accelerator
* httpd_accel_port 80: 80 is port you want to act as a proxy
* httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
* httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
* acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
* http_access allow localhost: Squid access to LAN and localhost ACL only
* http_access allow lan: — same as above –

Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v “^#” /etc/squid/squid.conf | sed -e ‘/^$/d’

OR, try out sed (thanks to kotnik for small sed trick)
# cat /etc/squid/squid.conf | sed ‘/ *#/d; /^ *$/d’

Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid
Iptables configuration

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128 (Download the fw.proxy shell script):
#!/bin/sh
# squid server IP
SQUID_SERVER=“192.168.1.1″
# Interface connected to Internet
INTERNET=“eth0″
# Interface connected to LAN
LAN_IN=“eth1″
# Squid port
SQUID_PORT=“3128″
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on

Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on
Desktop / Client computer configuration

Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.
How do I test my squid proxy is working correctly?

See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log

Sébastien Wains

February 2, 2008 - 18:04

Please check this http://www.wains.be/index.php/2007/10/27/squid-26-transparent-proxy/

It may be the answer to your problem

Anas Alnffar

February 7, 2008 - 10:18

Thanks Swbastien

I fixed the problem …. thank u again dear

Anas Alnffar

February 23, 2008 - 8:46

Hello Dear,

could you tell me plz how can I doing Uninstall for Oracle application in RedHat 5? …

Best Regards

Sébastien Wains

February 23, 2008 - 11:08

If it was installed from yum… yum remove packagename

If it was installed from rpm.. rpm -e packagename

If it was compiled by hand.. you need to remove by hand, unless you got an uninstall script

Trackback URI Comments RSS

Leave Comment

Please consider visiting the partners below if you enjoyed this article :

If this post saved you time and money, please consider checking my Amazon wishlist.

Before submitting, some rules :
- Is your comment related to the article ?
- You're having a problem ? Have you checked Google, other howtos, docs, manpages ?
- You're still having the problem ? Have you raised log verbosity, checked traces, ran tcpdump ?
- Have you checked your configuratoin for typo ?
Unless your comment is providing additional info or respect the rules above, DON'T comment.
If you don't understand what you are doing, I urge you to read the documentation, I'm not your free Level 1 helpdesk guy.