[squid-users] Intercept mode failing

[Hoggins!]

Hello list,

I'm trying to do a simple intercept with Squid. Here is my setup :

I have a LAN with machines on 192.168.22.0/24. Their gateway is
192.168.22.10. On this machine, I have set the following iptables rule :

    iptables -t nat -A PREROUTING -i eth0.100 ! -d 192.168.0.0/16 -p tcp
--dport 80 -j DNAT --to 192.168.55.3:3129

    - eth0.100 because it's on a VLAN
    - 192.168.55.3 being the Squid server, directly connected to the
Internet, on a network my gateway has the routes for

On the Squid server (192.168.55.3), I have configured the following
options in squid.conf :

    - (default localnet ACLs were fine, as well as Safe_ports setting)
    - tcp_outgoing_address 1.2.3.4 (the public address the server is
attached to. There are several interfaces)
    - http_port 3129 intercept
    - http_access allow localnet
    - http_access allow localhost
    - http_access deny all

Now, if I issue a curl http://google.fr on a LAN machine
(192.168.22.129), I get the Squid error page saying "Acces Denied", and
the Squid server log shows the following :

    1483434892.803      0 1.2.3.4 TCP_DENIED/403 4032 GET
http://google.fr/ - HIER_NONE/- text/html
    1483434892.804     17 192.168.22.129 TCP_MISS/403 4146 GET
http://google.fr/ - ORIGINAL_DST/192.168.55.3 text/html


"Normal" proxying works fine with this Squid setup (I also have a
"http_port 3128" with no option, and explicitly setting the proxy
address on the LAN hosts works fine).

Do you have an idea of what are my mistakes ?

Thank you for your inputs !

    Hoggins!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170103/db72d1da/attachment.sig>