[squid-users] Transparent Proxy

[Antony Stone]

On Wednesday 07 September 2016 at 10:51:49, John Sayce wrote:

> I believe so.  The specific command I used was:
> 
> iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> 
> (For some reason my adapter is ens33, I have no idea why it's not eth0. 
> Squid is set to run on 3128.)

That looks okay, then.

> It's fair to say I have almost no experience with iptables.  Is it iptables
> that should be doing the address translation?

Yes - the rule above tells the machine to take any packet addressed to port 80 
on any address and send it instead to the local machine (REDIRECT changes the 
destination address to 127.0.0.1, even though that's not obvious) and port 
3128.

> when the packet is sent back to the client?

Correct.  IPtables' address translation rules are automatically symmetrical - 
when a packet gets translated in one direction, a record is kept that it was 
done, and then the reply packet is automatically reverse-translated when it 
comes back in the other direction.

This is true no matter whether packets are going *through* the IPtables 
machine (ie: it's acting as a router), or whether they're being processed *on* 
the IPtables machine (as in this case).

I think we need to know more about your squid setup.

Please tell us which version of squid you are using, and post here your 
squid.conf file without comments or blank lines.


Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

                                                   Please reply to the list;
                                                         please *don't* CC me.