[squid-users] Squid Intercept - From inside LAN with DNAT on router and docker on host
Antony Stone
Antony.Stone at squid.open.source.it
Wed Jul 20 20:10:21 UTC 2016
On Wednesday 20 July 2016 at 21:42:27, Guilherme Scaglia wrote:
> I'm aiming for a transparent proxy - with squid in intercept mode.
>
> In my network setup, the squid server is inside the LAN together with its
> clients, and not siting between the clients and the router/modem
That will be a problem for intercept mode.
> My router is a Mikrotik router board, so it's trivial to setup a DNAT rule
> to redirect all TCP requests to the squid server.
That won't work. You *must* perform the DNAT on the machine running Squid,
which means that the packets from your clients must pass through the Squid
server, either because it is in the default route, or because you use some
form of policy routing (not NAT) to direct port 80 requests through it.
> What's happening? why doesn't squid tries to fetch the request pages at
> all?
Because you are not doing NAT on the Squid machine.
> From my understanding, my setup is roughly equivalent to
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat, only the
> DNAT is happening outside the squid box; There is no reason this should
> interfere with anything.
Oh yes there is :)
> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
> seens to recommend routing without DNAT; This seems weird, as the only way
> I can see this working is if the squid machine accepted packets to any
> address as their own.
No, you are not sending the packets *to* the Squid machine, you are routing
them *via* the Squid machine.
After all, you are currently sending packet to addresses all over the Internet
via your Microtik board, and it's quite happy with those :)
Regards,
Antony.
--
I think broken pencils are pointless.
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list