<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Squid 3.5.x?<br>
    <br>
    <div class="moz-cite-prefix">24.06.15 18:03, Dalmar пишет:<br>
    </div>
    <blockquote
cite="mid:CAFUu-GvSHj=X-_usesoYDY-fe2Vss9zsNFRr9bZnE5ThDdUR2w@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div style="font-size:12.8000001907349px">Hi,</div>
        <div style="font-size:12.8000001907349px">For over two weeks i
          am having a really headache in configuring squid
          transparent/intercept. </div>
        <div style="font-size:12.8000001907349px">I have tried different
          options and configurations but i couldn't get it to work.</div>
        <div style="font-size:12.8000001907349px">i think the problems
          lies in the Iptables / NAT but i really couldn't solve it. </div>
        <div style="font-size:12.8000001907349px">I have tried different
          iptable rules including the intercept linuxDnat - sysctl
          configuration, but didnt work.</div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px"># your proxy IP</div>
        <div style="font-size:12.8000001907349px">SQUIDIP=X.X.X.X</div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px"># your proxy listening
          port</div>
        <div style="font-size:12.8000001907349px">SQUIDPORT=XXXX</div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px">iptables -t nat -A
          PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT</div>
        <div style="font-size:12.8000001907349px">iptables -t nat -A
          PREROUTING -p tcp --dport 80 -j DNAT --to-destination
          $SQUIDIP:$SQUIDPORT</div>
        <div style="font-size:12.8000001907349px">iptables -t nat -A
          POSTROUTING -j MASQUERADE</div>
        <div style="font-size:12.8000001907349px">iptables -t mangle -A
          PREROUTING -p tcp --dport $SQUIDPORT -j DROP</div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px">i have to say that
          squid works well when i configure in the client browsers.</div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px">at the mikrotik side,
          i am using DST-NAT chain port 80 pro TCP action DST-NAT to
          address squidIP and Port</div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px">i am using ubuntu
          server 15.04 using squid 3.3.8 and this is my configuration
          and the errors i get:</div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px">            <span style="white-space:pre-wrap">        </span> 
                   ------ eth0 WAN <----- MAIN WAN Public IP Internet</div>
        <div style="font-size:12.8000001907349px">               
           MK---|</div>
        <div style="font-size:12.8000001907349px">       <span style="white-space:pre-wrap">        </span> 
                           ------ eth1 LAN</div>
        <div style="font-size:12.8000001907349px">                     
              |</div>
        <div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap">   </span> 
                           ------ eth2 Proxy</div>
        <div style="font-size:12.8000001907349px">                  </div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap">           </span> 
                 ------ eth0 WAN ---> Public IP --> Internet
          --> gets internet from 24online / another Mikrotik</div>
        <div style="font-size:12.8000001907349px">  <span style="white-space:pre-wrap">       </span>  
           Squid---|</div>
        <div style="font-size:12.8000001907349px">       <span style="white-space:pre-wrap">        </span> 
                        ------ eth1 Proxy</div>
        <div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap">           </span> 
               |</div>
        <div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap">           </span> 
                ------ eth2 webmin --> For server Management</div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px">-error1: if no
          intercept/transparent and no iptables is configured</div>
        <div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap">   </span>-Invalid
          URL -  The requested url could not be retrieved</div>
        <div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap">   </span>-but
          if proxy is configured in the user browser - it works!</div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px">-error2:if intercept
          and iptable DNAT is configured </div>
        <div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap">   -</span>Access
          Denied and in the access log TCP-MISS/403</div>
        <div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap">   -</span>no
          forward proxy port configured </div>
        <div style="font-size:12.8000001907349px">        -security
          alert : host header forgery detected on local= SquidIP:8080
          remote:mikrotikIP (local ip does not match any domain name)</div>
        <div style="font-size:12.8000001907349px">        -warning :
          forwarding loop detected (x-Forwarded-for mikrotik lan IP)</div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px">squid.conf</div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px">acl localnet src <a
            moz-do-not-send="true" href="http://10.0.0.0/8"
            target="_blank">10.0.0.0/8</a><span style="white-space:pre-wrap">        </span>#
          RFC1918 possible internal network</div>
        <div style="font-size:12.8000001907349px">acl localnet src <a
            moz-do-not-send="true" href="http://192.168.0.0/16"
            target="_blank">192.168.0.0/16</a><span style="white-space:pre-wrap">    </span>#
          RFC1918 possible internal network</div>
        <div style="font-size:12.8000001907349px">acl SSL_ports port 443</div>
        <div style="font-size:12.8000001907349px">acl Safe_ports port 80<span style="white-space:pre-wrap">             </span>#
          http</div>
        <div style="font-size:12.8000001907349px">acl Safe_ports port 21<span style="white-space:pre-wrap">             </span>#
          ftp</div>
        <div style="font-size:12.8000001907349px">acl Safe_ports port
          443<span style="white-space:pre-wrap">                </span># https</div>
        <div style="font-size:12.8000001907349px">acl Safe_ports port 70<span style="white-space:pre-wrap">             </span>#
          gopher</div>
        <div style="font-size:12.8000001907349px">acl Safe_ports port
          210<span style="white-space:pre-wrap">                </span># wais</div>
        <div style="font-size:12.8000001907349px">acl Safe_ports port
          1025-65535<span style="white-space:pre-wrap"> </span>#
          unregistered ports</div>
        <div style="font-size:12.8000001907349px">acl Safe_ports port
          280<span style="white-space:pre-wrap">                </span># http-mgmt</div>
        <div style="font-size:12.8000001907349px">acl Safe_ports port
          488<span style="white-space:pre-wrap">                </span># gss-http</div>
        <div style="font-size:12.8000001907349px">acl Safe_ports port
          591<span style="white-space:pre-wrap">                </span># filemaker</div>
        <div style="font-size:12.8000001907349px">acl Safe_ports port
          777<span style="white-space:pre-wrap">                </span># multiling
          http</div>
        <div style="font-size:12.8000001907349px">acl CONNECT method
          CONNECT</div>
        <div style="font-size:12.8000001907349px">http_access deny
          !Safe_ports</div>
        <div style="font-size:12.8000001907349px">http_access deny
          CONNECT !SSL_ports</div>
        <div style="font-size:12.8000001907349px">http_access allow
          localhost manager</div>
        <div style="font-size:12.8000001907349px">http_access deny
          manager</div>
        <div style="font-size:12.8000001907349px">http_access allow
          localnet</div>
        <div style="font-size:12.8000001907349px">http_access allow
          localhost</div>
        <div style="font-size:12.8000001907349px">http_access deny all</div>
        <div style="font-size:12.8000001907349px">http_port 8080</div>
        <div style="font-size:12.8000001907349px">http_port 8181</div>
        <div style="font-size:12.8000001907349px">cache_mem 2000 MB</div>
        <div style="font-size:12.8000001907349px">cache_dir ufs
          /var/spool/squid3 100000 16 256</div>
        <div style="font-size:12.8000001907349px">coredump_dir
          /var/spool/squid3</div>
        <div style="font-size:12.8000001907349px">refresh_pattern ^ftp:<span style="white-space:pre-wrap">              </span>1440<span style="white-space:pre-wrap">    </span>20%<span style="white-space:pre-wrap">     </span>10080</div>
        <div style="font-size:12.8000001907349px">refresh_pattern
          ^gopher:<span style="white-space:pre-wrap">   </span>1440<span style="white-space:pre-wrap">    </span>0%<span style="white-space:pre-wrap">      </span>1440</div>
        <div style="font-size:12.8000001907349px">refresh_pattern -i
          (/cgi-bin/|\?) 0<span style="white-space:pre-wrap">   </span>0%<span style="white-space:pre-wrap">      </span>0</div>
        <div style="font-size:12.8000001907349px">refresh_pattern
          (Release|Packages(.gz)*)$      0       20%     2880</div>
        <div style="font-size:12.8000001907349px">refresh_pattern .<span style="white-space:pre-wrap">          </span>0<span style="white-space:pre-wrap">       </span>20%<span style="white-space:pre-wrap">     </span>4320</div>
        <div style="font-size:12.8000001907349px">cache_effective_user
          proxy</div>
        <div style="font-size:12.8000001907349px">cache_effective_group
          proxy</div>
        <div style="font-size:12.8000001907349px"><br>
        </div>
        <div style="font-size:12.8000001907349px">----------------------------------------</div>
        <div style="font-size:12.8000001907349px">I am really confused,
          can anyone guide me please.</div>
        <div style="font-size:12.8000001907349px">Thanks in advance</div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>