iptables configuations for stunnel+squid

Question

I'm building a highly anonymous proxy server with squid and stunnel, and I'm facing a configurations problem on iptables.

The server should act like this:

browser <-> client stunnel <=> server stunnel <-> server squid <=> site

Wheres - means local traffic and = means internet tarffic.

Currently stunnel and squid are setup in the same server.

I'm a newbie of iptables, I have tried my best and set the rules below (dump via iptables-save):

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [117178:91123876]
:LOGGING - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 14 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 16 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 18 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 30/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 7
-A LOGGING -j DROP
COMMIT
# Completed on Tue Jan 26 12:54:01 2016

I discovery that I can't visit some websites while iptables rules are applied. I beilive that the iptables rules configurations are wrong but I don't know how to fix it, could someone help me out?

CONFIGURATIONS

squid:

# Squid Core Settings
http_port 3128
coredump_dir /var/spool/squid3

# ACL Settings
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all

# Anonymous Setting
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Cookie allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all  
request_header_access All deny all
header_replace User-Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0
forwarded_for off

# Cacheing Settings
#cache_dir ufs /var/spool/squid3/cache/ufs 4096 16 256
#cache_dir aufs /var/spool/squid3/cache/aufs 4096 16 256
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

stunnel (client side):

[psk]
client = yes
accept = 127.0.0.1:8443
connect = SERVER_ADDR:PORT
PSKsecrets = psk.txt

[proxy]
client = yes
accept = 127.0.0.1:8089
connect = 127.0.0.1:8443
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
CAfile = cert.pem
verify = 2
checkHost = SERVER_ADDR

stunnel (server side):

pid = /run/stunnel.pid
chroot  = /var/lib/stunnel
client  = no
setuid  = stunnel
setgid  = stunnel
cert    = /etc/stunnel/cert.pem
key = /etc/stunnel/priv.pem

debug   = 7
;output = stunnel.log
foreground = yes

[PSK]
accept = 443
;accept = :::443
connect = 127.0.0.1:8443
ciphers = PSK
PSKsecrets = /etc/stunnel/psk.txt

[squid]
accept = 127.0.0.1:8443
;accept = :::8443
connect = 127.0.1:3128
sslVersion = all
ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PS
options = NO_SSLv2
options = NO_SSLv3
options = CIPHER_SERVER_PREFERENCE

LOGS

iptables DROP LOGS:

[144292.234289] IPTables-Dropped:   SRC=173.245.55.179  PROTO=TCP   SPT=50365   DPT=80
[144301.107881] IPTables-Dropped:   SRC=117.41.229.40   SPT=2008    DPT=8888    WINDOW=16384
[144360.343125] IPTables-Dropped:   SRC=80.82.79.104    SPT=42465   DPT=10000   WINDOW=1024
[144374.574490] IPTables-Dropped:   SRC=108.162.217.173 PROTO=TCP   SPT=35022   DPT=80
[144375.564623] IPTables-Dropped:   SRC=108.162.217.173 PROTO=TCP   SPT=35022   DPT=80
[144377.564581] IPTables-Dropped:   SRC=108.162.217.173 PROTO=TCP   SPT=35022   DPT=80
[144381.574600] IPTables-Dropped:   SRC=108.162.217.173 PROTO=TCP   SPT=35022   DPT=80
[144403.970319] IPTables-Dropped:   SRC=117.41.229.20   SPT=2002    DPT=3128    WINDOW=16384
[144404.914921] IPTables-Dropped:   SRC=82.114.86.90    PROTO=TCP   SPT=4020    DPT=3389
[144407.889798] IPTables-Dropped:   SRC=82.114.86.90    PROTO=TCP   SPT=4020    DPT=3389
[144431.102337] IPTables-Dropped:   SRC=117.41.229.40   SPT=2008    DPT=8888    WINDOW=16384
[144441.480311] IPTables-Dropped:   SRC=58.218.204.225  SPT=42147   DPT=8888    WINDOW=512
[144457.402085] IPTables-Dropped:   SRC=212.199.163.170 PROTO=TCP   SPT=80  DPT=45858
[144458.400167] IPTables-Dropped:   SRC=212.199.163.170 PROTO=TCP   SPT=80  DPT=45858
[144460.404178] IPTables-Dropped:   SRC=212.199.163.170 PROTO=TCP   SPT=80  DPT=45858
[144460.754622] IPTables-Dropped:   SRC=212.199.163.170 PROTO=TCP   SPT=80  DPT=45858
[144462.686286] IPTables-Dropped:   SRC=104.16.37.249   PROTO=TCP   SPT=443 DPT=54096
[144463.685486] IPTables-Dropped:   SRC=104.16.37.249   PROTO=TCP   SPT=443 DPT=54096
[144464.011240] IPTables-Dropped:   SRC=108.162.216.178 PROTO=TCP   SPT=38717   DPT=80
[144464.416256] IPTables-Dropped:   SRC=212.199.163.170 PROTO=TCP   SPT=80  DPT=45858
[144465.689500] IPTables-Dropped:   SRC=104.16.37.249   PROTO=TCP   SPT=443 DPT=54096
[144468.827527] IPTables-Dropped:   SRC=107.170.64.60   PROTO=TCP   SPT=80  DPT=41692
[144469.608763] IPTables-Dropped:   SRC=50.56.21.180    PROTO=TCP   SPT=443 DPT=46344
[144471.827936] IPTables-Dropped:   SRC=107.170.64.60   PROTO=TCP   SPT=80  DPT=41692
[144474.224868] IPTables-Dropped:   SRC=107.170.64.60   PROTO=TCP   SPT=80  DPT=41692
[144475.840049] IPTables-Dropped:   SRC=107.170.64.60   PROTO=TCP   SPT=80  DPT=41692
[144477.713538] IPTables-Dropped:   SRC=104.16.37.249   PROTO=TCP   SPT=443 DPT=54096
[144480.228830] IPTables-Dropped:   SRC=107.170.64.60   PROTO=TCP   SPT=80  DPT=41692
[144483.856005] IPTables-Dropped:   SRC=107.170.64.60   PROTO=TCP   SPT=80  DPT=41692
[144484.630156] IPTables-Dropped:   SRC=50.56.21.180    PROTO=TCP   SPT=443 DPT=46344

stunnel ERROR LOGS (client side):

  32: 2016.01.26 02:29:54 LOG5[4962]: Service [proxy] accepted connection from 127.0.0.1:8421
  33: 2016.01.26 02:29:54 LOG5[4962]: s_connect: connected 127.0.0.1:8443
  34: 2016.01.26 02:29:54 LOG5[4962]: Service [proxy] connected remote server from 127.0.0.1:8422
  38: 2016.01.26 02:29:55 LOG3[4962]: readsocket: Connection reset by peer (WSAECONNRESET) (10054)
  39: 2016.01.26 02:29:55 LOG5[4962]: Connection reset: 373 byte(s) sent to SSL, 331 byte(s) sent to socket

squid access.log:

1453812536.918  58824 127.0.0.1 TCP_TUNNEL/200 1086 CONNECT www.google-analytics.com:443 - HIER_DIRECT/2404:6800:4004:80b::100e -
1453812622.722 239778 127.0.0.1 TAG_NONE/503 0 CONNECT stackoverflow.com:443 - HIER_NONE/- -
1453812661.330 240001 127.0.0.1 TAG_NONE/503 0 CONNECT syndication.twitter.com:443 - HIER_NONE/- -
1453812717.832  60713 127.0.0.1 TCP_MISS/503 5358 GET http://jeffreifman.com/how-to-install-your-own-private-e-mail-server-in-the-amazon-cloud-aws/estimating-costs/ - HIER_DIRECT/107.170.64.60 text/html
1453812718.832  60042 127.0.0.1 TAG_NONE/503 0 CONNECT www.mailgun.com:443 - HIER_NONE/- -

Did you figure this out? – Gilles Lesire Nov 16 '17 at 19:41 — Gilles Lesire, Nov 16 '17 at 19:41
Nope, I give up and frozen my project. – Hartman Nov 16 '17 at 21:40 — Hartman, Nov 16 '17 at 21:40

iptables configuations for stunnel+squid

CONFIGURATIONS

LOGS

0 Answers0