[squid-users] Mikrotik and Squid Transparent

Amos Jeffries squid3 at treenet.co.nz
Thu Jun 25 09:07:49 UTC 2015


On 25/06/2015 12:45 p.m., Alex Samad wrote:
> Hi
> 
> why this, doesn't this block all traffic getting to the squid port.
> iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

All external traffic yes. The NAT interception happens afterward and works.

The point is that NAT intercept MUST only be done directly on the Squid
machine. A single external connection being accepted will result in a
forwarding loop DoS and the above protects against that.

> 
> 
> what I would do to test is run tcpdump on the squid box and capture
> all traffic coming to it on the squid listening port,

IIRC, you can't do that because tcpdump operates before NAT. It will not
show you the NAT'ed traffic arriving.

Running Squid with -X or "debug_options ALL,9" would be better. You can
see in cache.log what Squid is receiving and what the NAT de-mangling is
actually doing.

Amos


More information about the squid-users mailing list