[squid-users] Transparent proxy with squid and Dansguardian

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 1 11:10:32 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please post a new thread email to the list instead of replying to an
existing topic. This has nothing to do with YouTube access control.


On 1/10/2014 11:23 p.m., Darren B. wrote:
> 
> HI
> 
> I am trying to set up a router that allows a group of devices on a 
> network to access the internet via Dansguardian and squid.
> 
> I am setting it up as a transparent proxy and locking down the
> ports with IPtables.
> 
> I am using IPtables to redirect connections on port 80 from the
> client and remap them to 8080 for dansguardian, dans is then set up
> to talk to squid on 127.0.0.1:3128
> 
> the iptables rules are
> 
> iptables -A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j
> REDIRECT --to-ports 8080 iptables -A POSTROUTING -j MASQUERADE
> 
> if I set the rule above to REDIRECT to 3128, the cache works as 
> expected. If I set it above, I can see traffic in DG and in the
> cache log of squid but the target IF address is stripped out and I
> seem to be getting a forwarding loop.
> 
> I am not sure what is going on but it seems that Dansguardian is 
> rewriting the target address and getting squid to loop back on
> itself.

DG is opening a regular TCP connection from itself (127.0.0.1:*) to
Squid (127.0.0.1:3128). Nothing Special.

> 
> All the various versions are current to ubuntu 14.04 although the 
> dansguardian is a little old in this distro.
> 
> Any pointers would be greatly appreciated.

Okay, some pointers...

 * REDIRECT is NAT interception.

 * You have DG configured to use Squid port 3128 *without* NAT between
them.

 * You configured Squid to receive NAT traffic on port 3128.

 * You configured Squid to receive expicitly configured clients (like
DG) on port 3129.

 * you must only send the configured type of traffic to a Squid port.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUK+EoAAoJELJo5wb/XPRjFWcH/1v6l48h2TuDydVuk9p87BMs
NZ8IrbcMtkqmNaIoWJ8KapvpFERBDyZVVQ54TX1iVPOUh4nHPskzzc7iZFXK1P5h
F+oIqecgaQ+KwbdIRn0YJF5w0XppSiH1aRX3dmbwIHI3ghH7cca7Nj6txHdhyaq0
udlEp+1mteyy+7gbGJTNVR4XCqDPwVfgBzuvMtQFI2C6yqf7OcxqibAW/J9SYp5z
XM/Ap8tw7Q2xNC9a8BI/AURb4RkcelMX/iQ1G41oMCKcKEW2BjfOe6AVe0UbT8AD
jNDkhsmLqgOHfubiMhRiZHkayy1qcJLapNuyi5XkYcASD1rTtuqKoBhumqiJFrE=
=w4j+
-----END PGP SIGNATURE-----

More information about the squid-users mailing list