<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Squid 3.5.x?<br>
    <br>
    <div class="moz-cite-prefix">24.06.15 17:59, Dalmar пишет:<br>
    </div>
    <blockquote
cite="mid:CAFUu-Gv6XqzwNAR8G6-w59J8PGOAnnUs8-69+y7d5bQw3S3wmQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>Hi,</div>
        <div>For over two weeks i am having a really headache in
          configuring squid transparent/intercept. </div>
        <div>I have tried different options and configurations but i
          couldn't get it to work.</div>
        <div>i think the problems lies in the Iptables / NAT but i
          really couldn't solve it. </div>
        <div>I have tried different iptable rules including the
          intercept linuxDnat - sysctl configuration, but didnt work.</div>
        <div><br>
        </div>
        <div># your proxy IP</div>
        <div>SQUIDIP=X.X.X.X</div>
        <div><br>
        </div>
        <div># your proxy listening port</div>
        <div>SQUIDPORT=XXXX</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80
          -j ACCEPT</div>
        <div>iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
          --to-destination $SQUIDIP:$SQUIDPORT</div>
        <div>iptables -t nat -A POSTROUTING -j MASQUERADE</div>
        <div>iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT
          -j DROP</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>i have to say that squid works well when i configure in the
          client browsers.</div>
        <div><br>
        </div>
        <div>at the mikrotik side, i am using DST-NAT chain port 80 pro
          TCP action DST-NAT to address squidIP and Port</div>
        <div><br>
        </div>
        <div>i am using ubuntu server 15.04 using squid 3.3.8 and this
          is my configuration and the errors i get:</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>            <span class="" style="white-space:pre">  </span> 
                   ------ eth0 WAN <----- MAIN WAN Public IP Internet</div>
        <div>                 MK---|</div>
        <div>       <span class="" style="white-space:pre"> </span>     
                       ------ eth1 LAN</div>
        <div>                          |</div>
        <div><span class="" style="white-space:pre">    </span>           
                 ------ eth2 Proxy</div>
        <div>                  </div>
        <div><br>
        </div>
        <div><span class="" style="white-space:pre">            </span>       
           ------ eth0 WAN ---> Public IP --> Internet --> gets
          internet from 24online / another Mikrotik</div>
        <div>  <span class="" style="white-space:pre"> </span>  
           Squid---|</div>
        <div>       <span class="" style="white-space:pre"> </span>     
                    ------ eth1 Proxy</div>
        <div><span class="" style="white-space:pre">            </span>       |</div>
        <div><span class="" style="white-space:pre">            </span>       
          ------ eth2 webmin --> For server Management</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>-error1: if no intercept/transparent and no iptables is
          configured</div>
        <div><span class="" style="white-space:pre">    </span>-Invalid URL
          -  The requested url could not be retrieved</div>
        <div><span class="" style="white-space:pre">    </span>-but if
          proxy is configured in the user browser - it works!</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>-error2:if intercept and iptable DNAT is configured </div>
        <div><span class="" style="white-space:pre">    -</span>Access
          Denied and in the access log TCP-MISS/403</div>
        <div><span class="" style="white-space:pre">    -</span>no forward
          proxy port configured </div>
        <div>        -security alert : host header forgery detected on
          local= SquidIP:8080 remote:mikrotikIP (local ip does not match
          any domain name)</div>
        <div>        -warning : forwarding loop detected
          (x-Forwarded-for mikrotik lan IP)</div>
        <div><br>
        </div>
        <div>squid.conf</div>
        <div><br>
        </div>
        <div>acl localnet src <a moz-do-not-send="true"
            href="http://10.0.0.0/8">10.0.0.0/8</a><span class="" style="white-space:pre"> </span>#
          RFC1918 possible internal network</div>
        <div>acl localnet src <a moz-do-not-send="true"
            href="http://192.168.0.0/16">192.168.0.0/16</a><span class="" style="white-space:pre"> </span>#
          RFC1918 possible internal network</div>
        <div>acl SSL_ports port 443</div>
        <div>acl Safe_ports port 80<span class="" style="white-space:pre">              </span>#
          http</div>
        <div>acl Safe_ports port 21<span class="" style="white-space:pre">              </span>#
          ftp</div>
        <div>acl Safe_ports port 443<span class="" style="white-space:pre">             </span>#
          https</div>
        <div>acl Safe_ports port 70<span class="" style="white-space:pre">              </span>#
          gopher</div>
        <div>acl Safe_ports port 210<span class="" style="white-space:pre">             </span>#
          wais</div>
        <div>acl Safe_ports port 1025-65535<span class="" style="white-space:pre">      </span>#
          unregistered ports</div>
        <div>acl Safe_ports port 280<span class="" style="white-space:pre">             </span>#
          http-mgmt</div>
        <div>acl Safe_ports port 488<span class="" style="white-space:pre">             </span>#
          gss-http</div>
        <div>acl Safe_ports port 591<span class="" style="white-space:pre">             </span>#
          filemaker</div>
        <div>acl Safe_ports port 777<span class="" style="white-space:pre">             </span>#
          multiling http</div>
        <div>acl CONNECT method CONNECT</div>
        <div>http_access deny !Safe_ports</div>
        <div>http_access deny CONNECT !SSL_ports</div>
        <div>http_access allow localhost manager</div>
        <div>http_access deny manager</div>
        <div>http_access allow localnet</div>
        <div>http_access allow localhost</div>
        <div>http_access deny all</div>
        <div>http_port 8080</div>
        <div>http_port 8181</div>
        <div>cache_mem 2000 MB</div>
        <div>cache_dir ufs /var/spool/squid3 100000 16 256</div>
        <div>coredump_dir /var/spool/squid3</div>
        <div>refresh_pattern ^ftp:<span class="" style="white-space:pre">               </span>1440<span class="" style="white-space:pre">      </span>20%<span class="" style="white-space:pre">       </span>10080</div>
        <div>refresh_pattern ^gopher:<span class="" style="white-space:pre">    </span>1440<span class="" style="white-space:pre">      </span>0%<span class="" style="white-space:pre">        </span>1440</div>
        <div>refresh_pattern -i (/cgi-bin/|\?) 0<span class="" style="white-space:pre"> </span>0%<span class="" style="white-space:pre">        </span>0</div>
        <div>refresh_pattern (Release|Packages(.gz)*)$      0       20%
              2880</div>
        <div>refresh_pattern .<span class="" style="white-space:pre">           </span>0<span class="" style="white-space:pre"> </span>20%<span class="" style="white-space:pre">       </span>4320</div>
        <div>cache_effective_user proxy</div>
        <div>cache_effective_group proxy</div>
        <div><br>
        </div>
        <div>----------------------------------------</div>
        <div>I am really confused, can anyone guide me please.</div>
        <div>Thanks in advance</div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>