[squid-users] Mikrotik and Squid Transparent
Amos Jeffries
squid3 at treenet.co.nz
Thu Jun 25 09:07:49 UTC 2015
On 25/06/2015 12:45 p.m., Alex Samad wrote:
> Hi
>
> why this, doesn't this block all traffic getting to the squid port.
> iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
All external traffic yes. The NAT interception happens afterward and works.
The point is that NAT intercept MUST only be done directly on the Squid
machine. A single external connection being accepted will result in a
forwarding loop DoS and the above protects against that.
>
>
> what I would do to test is run tcpdump on the squid box and capture
> all traffic coming to it on the squid listening port,
IIRC, you can't do that because tcpdump operates before NAT. It will not
show you the NAT'ed traffic arriving.
Running Squid with -X or "debug_options ALL,9" would be better. You can
see in cache.log what Squid is receiving and what the NAT de-mangling is
actually doing.
Amos
More information about the squid-users
mailing list