<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Squid 3.5.x?<br>
<br>
<div class="moz-cite-prefix">24.06.15 17:59, Dalmar пишет:<br>
</div>
<blockquote
cite="mid:CAFUu-Gv6XqzwNAR8G6-w59J8PGOAnnUs8-69+y7d5bQw3S3wmQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Hi,</div>
<div>For over two weeks i am having a really headache in
configuring squid transparent/intercept. </div>
<div>I have tried different options and configurations but i
couldn't get it to work.</div>
<div>i think the problems lies in the Iptables / NAT but i
really couldn't solve it. </div>
<div>I have tried different iptable rules including the
intercept linuxDnat - sysctl configuration, but didnt work.</div>
<div><br>
</div>
<div># your proxy IP</div>
<div>SQUIDIP=X.X.X.X</div>
<div><br>
</div>
<div># your proxy listening port</div>
<div>SQUIDPORT=XXXX</div>
<div><br>
</div>
<div><br>
</div>
<div>iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80
-j ACCEPT</div>
<div>iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
--to-destination $SQUIDIP:$SQUIDPORT</div>
<div>iptables -t nat -A POSTROUTING -j MASQUERADE</div>
<div>iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT
-j DROP</div>
<div><br>
</div>
<div><br>
</div>
<div>i have to say that squid works well when i configure in the
client browsers.</div>
<div><br>
</div>
<div>at the mikrotik side, i am using DST-NAT chain port 80 pro
TCP action DST-NAT to address squidIP and Port</div>
<div><br>
</div>
<div>i am using ubuntu server 15.04 using squid 3.3.8 and this
is my configuration and the errors i get:</div>
<div><br>
</div>
<div><br>
</div>
<div> <span class="" style="white-space:pre"> </span>
------ eth0 WAN <----- MAIN WAN Public IP Internet</div>
<div> MK---|</div>
<div> <span class="" style="white-space:pre"> </span>
------ eth1 LAN</div>
<div> |</div>
<div><span class="" style="white-space:pre"> </span>
------ eth2 Proxy</div>
<div> </div>
<div><br>
</div>
<div><span class="" style="white-space:pre"> </span>
------ eth0 WAN ---> Public IP --> Internet --> gets
internet from 24online / another Mikrotik</div>
<div> <span class="" style="white-space:pre"> </span>
Squid---|</div>
<div> <span class="" style="white-space:pre"> </span>
------ eth1 Proxy</div>
<div><span class="" style="white-space:pre"> </span> |</div>
<div><span class="" style="white-space:pre"> </span>
------ eth2 webmin --> For server Management</div>
<div><br>
</div>
<div><br>
</div>
<div>-error1: if no intercept/transparent and no iptables is
configured</div>
<div><span class="" style="white-space:pre"> </span>-Invalid URL
- The requested url could not be retrieved</div>
<div><span class="" style="white-space:pre"> </span>-but if
proxy is configured in the user browser - it works!</div>
<div><br>
</div>
<div><br>
</div>
<div>-error2:if intercept and iptable DNAT is configured </div>
<div><span class="" style="white-space:pre"> -</span>Access
Denied and in the access log TCP-MISS/403</div>
<div><span class="" style="white-space:pre"> -</span>no forward
proxy port configured </div>
<div> -security alert : host header forgery detected on
local= SquidIP:8080 remote:mikrotikIP (local ip does not match
any domain name)</div>
<div> -warning : forwarding loop detected
(x-Forwarded-for mikrotik lan IP)</div>
<div><br>
</div>
<div>squid.conf</div>
<div><br>
</div>
<div>acl localnet src <a moz-do-not-send="true"
href="http://10.0.0.0/8">10.0.0.0/8</a><span class="" style="white-space:pre"> </span>#
RFC1918 possible internal network</div>
<div>acl localnet src <a moz-do-not-send="true"
href="http://192.168.0.0/16">192.168.0.0/16</a><span class="" style="white-space:pre"> </span>#
RFC1918 possible internal network</div>
<div>acl SSL_ports port 443</div>
<div>acl Safe_ports port 80<span class="" style="white-space:pre"> </span>#
http</div>
<div>acl Safe_ports port 21<span class="" style="white-space:pre"> </span>#
ftp</div>
<div>acl Safe_ports port 443<span class="" style="white-space:pre"> </span>#
https</div>
<div>acl Safe_ports port 70<span class="" style="white-space:pre"> </span>#
gopher</div>
<div>acl Safe_ports port 210<span class="" style="white-space:pre"> </span>#
wais</div>
<div>acl Safe_ports port 1025-65535<span class="" style="white-space:pre"> </span>#
unregistered ports</div>
<div>acl Safe_ports port 280<span class="" style="white-space:pre"> </span>#
http-mgmt</div>
<div>acl Safe_ports port 488<span class="" style="white-space:pre"> </span>#
gss-http</div>
<div>acl Safe_ports port 591<span class="" style="white-space:pre"> </span>#
filemaker</div>
<div>acl Safe_ports port 777<span class="" style="white-space:pre"> </span>#
multiling http</div>
<div>acl CONNECT method CONNECT</div>
<div>http_access deny !Safe_ports</div>
<div>http_access deny CONNECT !SSL_ports</div>
<div>http_access allow localhost manager</div>
<div>http_access deny manager</div>
<div>http_access allow localnet</div>
<div>http_access allow localhost</div>
<div>http_access deny all</div>
<div>http_port 8080</div>
<div>http_port 8181</div>
<div>cache_mem 2000 MB</div>
<div>cache_dir ufs /var/spool/squid3 100000 16 256</div>
<div>coredump_dir /var/spool/squid3</div>
<div>refresh_pattern ^ftp:<span class="" style="white-space:pre"> </span>1440<span class="" style="white-space:pre"> </span>20%<span class="" style="white-space:pre"> </span>10080</div>
<div>refresh_pattern ^gopher:<span class="" style="white-space:pre"> </span>1440<span class="" style="white-space:pre"> </span>0%<span class="" style="white-space:pre"> </span>1440</div>
<div>refresh_pattern -i (/cgi-bin/|\?) 0<span class="" style="white-space:pre"> </span>0%<span class="" style="white-space:pre"> </span>0</div>
<div>refresh_pattern (Release|Packages(.gz)*)$ 0 20%
2880</div>
<div>refresh_pattern .<span class="" style="white-space:pre"> </span>0<span class="" style="white-space:pre"> </span>20%<span class="" style="white-space:pre"> </span>4320</div>
<div>cache_effective_user proxy</div>
<div>cache_effective_group proxy</div>
<div><br>
</div>
<div>----------------------------------------</div>
<div>I am really confused, can anyone guide me please.</div>
<div>Thanks in advance</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<br>
</body>
</html>