[squid-users] Squid Intercept - From inside LAN with DNAT on router and docker on host

[Antony Stone]

On Wednesday 20 July 2016 at 21:42:27, Guilherme Scaglia wrote:

> I'm aiming for a transparent proxy - with squid in intercept mode.
> 
> In my network setup, the squid server is inside the LAN together with its
> clients, and not siting between the clients and the router/modem

That will be a problem for intercept mode.

> My router is a Mikrotik router board, so it's trivial to setup a DNAT rule
> to redirect all TCP requests to the squid server.

That won't work.  You *must* perform the DNAT on the machine running Squid, 
which means that the packets from your clients must pass through the Squid 
server, either because it is in the default route, or because you use some 
form of policy routing (not NAT) to direct port 80 requests through it.

> What's happening? why doesn't squid tries to fetch the request pages at
> all?

Because you are not doing NAT on the Squid machine.

> From my understanding, my setup is roughly equivalent to
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat, only the
> DNAT is happening outside the squid box; There is no reason this should
> interfere with anything.

Oh yes there is :)

> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
> seens to recommend routing without DNAT; This seems weird, as the only way
> I can see this working is if the squid machine accepted packets to any
> address as their own.

No, you are not sending the packets *to* the Squid machine, you are routing 
them *via* the Squid machine.

After all, you are currently sending packet to addresses all over the Internet 
via your Microtik board, and it's quite happy with those :)


Regards,


Antony.

-- 
I think broken pencils are pointless.

                                                   Please reply to the list;
                                                         please *don't* CC me.