[squid-users] Mikrotik and Squid Transparent

Alex Samad alex at samad.com.au
Fri Jun 26 22:02:44 UTC 2015


Hi

Sorry missing something here.

I thought this was a mikrotek rtr , presumably acting as a default
gateway for the local lan to the internet.
it has a DNAT rule to capture all internet traffic that is port 80
(and presumably at some point in time port 443) and it DNATS it to the
SQUID box.

and there needs to be a special rule on the DGW to allow squid access
out to the internet with out resending it back to the squid and
creating a loop.

from memory thats how I used to do this. unless the DGW is large
enough to run squid, then DNAT to the local box and onto squid.

Why would there be a DoS for SQUID on another box, the only resources
I can think of is the NAT table, maybe conntrack

Alex



On 26 June 2015 at 22:49, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 27/06/2015 12:14 a.m., Alex Samad wrote:
>> aren't squid and nat box different ? that was my presumption..
>>
>
> Best not to.
>
> The dst-IP:port on the TCP packets entering the Squid machine is where
> Squid will send the outgoing server requests. If that dst-IP is the IP
> of the Squid machine itself you get into big DoS-level trouble really fast.
>
> Amos
>


More information about the squid-users mailing list