[squid-users] Mikrotik and Squid Transparent

Alex Samad alex at samad.com.au
Sat Jun 27 07:48:19 UTC 2015


On 27 June 2015 at 16:33, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 27/06/2015 10:02 a.m., Alex Samad wrote:
>> Hi
>>
>> Sorry missing something here.
>>
>> I thought this was a mikrotek rtr , presumably acting as a default
>> gateway for the local lan to the internet.
>> it has a DNAT rule to capture all internet traffic that is port 80
>> (and presumably at some point in time port 443) and it DNATS it to the
>> SQUID box.
>>
>> and there needs to be a special rule on the DGW to allow squid access
>> out to the internet with out resending it back to the squid and
>> creating a loop.
>>
>> from memory thats how I used to do this. unless the DGW is large
>> enough to run squid, then DNAT to the local box and onto squid.
>
> Yes, a lot of people used to do it that way. The problem was
> CVE-2009-0801 vulnerability allowed attackers script to send any request
> to Squid claiming an arbitrary server Host: header and get that content
> both delivered back as if it was to some other domain the client thought
> it was connecting to and injected into Squid cache for other clients to
> be affected by in the same way.
>
> That is no longer permitted since Squid-3.2. The DNAT can only happen
> once, and that must be on the Squid machine so Squid can lookup the NAT
> tables and unmangle the original dst-IP.
>
> You need to use routing rules on the Mikrotik (or tunnel sometimes works
> too) to deliver the original client generated packet to the Squid
> machine without NAT changing the dst-IP:port details (SNAT is fine, but
> will cause lies about client IP in the access.log).

Okay good to know.

Alex


More information about the squid-users mailing list