<div dir="ltr"><div class="gmail_default" style="font-family:georgia,serif"><br></div><div class="gmail_default" style="font-family:georgia,serif"><br></div><div class="gmail_default" style="font-family:georgia,serif">One more thing,</div><div class="gmail_default" style="font-family:georgia,serif">Does this implies using two NICs (Network Interface Cards)?</div><div class="gmail_default" style="font-family:georgia,serif">And the squid server has to be in-between clients and the internet?</div><div class="gmail_default" style="font-family:georgia,serif"><br></div><div class="gmail_default" style="font-family:georgia,serif">Regards</div><div class="gmail_default" style="font-family:georgia,serif"><br></div><div class="gmail_default" style="font-family:georgia,serif"><br></div><div class="gmail_default" style="font-family:georgia,serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 21, 2017 at 5:29 PM, christian brendan <span dir="ltr"><<a href="mailto:bosscb.chrisbren@gmail.com" target="_blank">bosscb.chrisbren@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-family:georgia,serif">Thanks a lot for the information.</div><div style="font-family:georgia,serif">I will try this and give feedback.</div><div style="font-family:georgia,serif">Best Regards</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 21, 2017 at 1:00 PM, <span dir="ltr"><<a href="mailto:squid-users-request@lists.squid-cache.org" target="_blank">squid-users-request@lists.<wbr>squid-cache.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send squid-users mailing list submissions to<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:squid-users-request@lists.squid-cache.org" target="_blank">squid-users-request@lists.squi<wbr>d-cache.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:squid-users-owner@lists.squid-cache.org" target="_blank">squid-users-owner@lists.squid-<wbr>cache.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of squid-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Squid Transparent/intercept Issues (Antony Stone)<br>
<br>
<br>
------------------------------<wbr>------------------------------<wbr>----------<br>
<br>
Message: 1<br>
Date: Tue, 21 Mar 2017 12:12:01 +0100<br>
From: Antony Stone <<a href="mailto:Antony.Stone@squid.open.source.it" target="_blank">Antony.Stone@squid.open.sourc<wbr>e.it</a>><br>
To: <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
Subject: Re: [squid-users] Squid Transparent/intercept Issues<br>
Message-ID: <<a href="mailto:201703211212.01346.Antony.Stone@squid.open.source.it" target="_blank">201703211212.01346.Antony.Sto<wbr>ne@squid.open.source.it</a>><br>
Content-Type: Text/Plain; charset="utf-8"<br>
<br>
On Tuesday 21 March 2017 at 12:00:05, christian brendan wrote:<br>
<br>
> > Today's Topics:<br>
> > 1. Re: Squid Transparent/intercept Issues (Antony Stone)<br>
> > 2. Re: SMP and AUFS (Matus UHLAR - fantomas)<br>
> > 3. Re: SMP and AUFS (Alex Rousskov)<br>
> > 4. Re: squid workers question (Alex Rousskov)<br>
> > 5. Re: squid workers question (Matus UHLAR - fantomas)<br>
> > 6. Re: SSL Bump issues (Alex Rousskov)<br>
> > 7. blocking or allowing specific youtube videos (Sohan Wijetunga)<br>
<br>
Please edit your reply when responding to a digest email, deleting everything<br>
not specific to your question.<br>
<br>
> > Date: Mon, 20 Mar 2017 16:56:17 +0100<br>
> > From: Antony Stone<br>
> > To: <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
> > Subject: Re: [squid-users] Squid Transparent/intercept Issues<br>
> ><br>
> > On Monday 20 March 2017 at 16:26:40, christian brendan wrote:<br>
> > > Hello Everyone,<br>
> > ><br>
> > > Squid Cache: Version 3.5.20<br>
> > > OS: CentOS 7<br>
> > ><br>
> > > I have used squid for quite some times non transparently and it works,<br>
> > > problem kicks in when: http_port 3128 transparent is enabled.<br>
> > > Access denied error page shows up when transparent is enabled<br>
> > > ERRORThe requested URL could not be retrieved<br>
> ><br>
> > How are you getting the packets to the Squid server for interception?<br>
> ><br>
> > Is the Squid server in the default route between your clients and the<br>
> > Internet, or are you redirecting the packets to the Squid server somehow?<br>
> ><br>
> > Please give *details* of how you are intercepting and sending the packets<br>
> > to Squid (eg: iptables rules, and which machine/s the rules are running<br>
> > on).<br>
> ><br>
> ><br>
> > Antony.<br>
<br>
> @Antony.Stone<br>
> 1. I am using mikrotik routerboard to redirect traffic, with this rule:<br>
> dd action=dst-nat chain=dstnat comment="Redirect port 80 to SquidProxy"<br>
> dst-port=80 protocol=tcp \ src-address=10.24.7.100 to-addresses=10.24.7.101<br>
> to-ports=3128<br>
<br>
Okay, so there's your problem, then.<br>
<br>
You must not use DSTNAT on a separate router to send packets to Squid for<br>
intercept.<br>
<br>
(This used to work in older versions of Squid, but does not work any more and<br>
is documented on the wiki, for example at<br>
<a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/Co<wbr>nfigExamples/Intercept/LinuxDn<wbr>at</a> )<br>
<br>
Note the wording: "NOTE: This configuration is given for use on the squid box."<br>
That means the NAT rules *must* be running on the Squid box itself and not (in<br>
your case) on the Mikrotik router.<br>
<br>
> 3. It is not in default route, packets is been redirected.<br>
<br>
In that case you need to use policy routing to get the packets *unchanged* to<br>
the Squid box - see the above link, and also<br>
<a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/Co<wbr>nfigExamples/Intercept/Iptable<wbr>sPolicyRoute</a><br>
<br>
> 4. There is no iptable rules, firewall is disabled for this test.<br>
<br>
You have to have a REDIRECT rule on the machine running Squid to get it to see<br>
the packets (once they are no longer being DNATted).<br>
<br>
Please try to follow the guidelines at<br>
<a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/Co<wbr>nfigExamples/Intercept/LinuxDn<wbr>at</a> and<br>
<a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/Co<wbr>nfigExamples/Intercept/Iptable<wbr>sPolicyRoute</a> and<br>
then come back to us with details of what you've tried, if there are still<br>
problems.<br>
<br>
<br>
Regards,<br>
<br>
<br>
Antony.<br>
<br>
--<br>
A user interface is like a joke.<br>
If you have to explain it, it didn't work.<br>
<br>
Please reply to the list;<br>
please *don't* CC me.<br>
<br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of squid-users Digest, Vol 31, Issue 61<br>
******************************<wbr>*************<br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>