[squid-users] Transparent Proxy
Amos Jeffries
squid3 at treenet.co.nz
Wed Sep 7 13:44:21 UTC 2016
On 7/09/2016 9:27 p.m., Antony Stone wrote:
> On Wednesday 07 September 2016 at 10:51:49, John Sayce wrote:
>
FYI: Jon. Please be careful about yoru use of teh word "forward" and
"forwarding". Both NAT and routing are methods of forwarding, but which
one is used at each particular step of the packets path through your
network from client to Squid matters A LOT.
Some routers offer "forwarding" options / settings, which actually NAT.
That will break MITM Squid installations which require routing only
outside the Squid machine.
>> I believe so. The specific command I used was:
>>
>> iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>>
>> (For some reason my adapter is ens33, I have no idea why it's not eth0.
>> Squid is set to run on 3128.)
>
> That looks okay, then.
>
>> It's fair to say I have almost no experience with iptables. Is it iptables
>> that should be doing the address translation?
>
> Yes - the rule above tells the machine to take any packet addressed to port 80
> on any address and send it instead to the local machine (REDIRECT changes the
> destination address to 127.0.0.1, even though that's not obvious) and port
> 3128.
No it does not change the IP to localhost. It changes the address to the
machines primary IP. If that is localhost IP then something is wrong in
the machines network interface configuration - which may lead to trouble.
>
>> when the packet is sent back to the client?
>
> Correct. IPtables' address translation rules are automatically symmetrical -
> when a packet gets translated in one direction, a record is kept that it was
> done, and then the reply packet is automatically reverse-translated when it
> comes back in the other direction.
>
> This is true no matter whether packets are going *through* the IPtables
> machine (ie: it's acting as a router), or whether they're being processed *on*
> the IPtables machine (as in this case).
>
> I think we need to know more about your squid setup.
>
> Please tell us which version of squid you are using, and post here your
> squid.conf file without comments or blank lines.
>
Amos
More information about the squid-users
mailing list