[squid-users] NetfilterInterception: NF > getsockopt(SO_ORIGINAL_DST) errors
Amos Jeffries
squid3 at treenet.co.nz
Tue May 22 10:24:08 UTC 2018
On 22/05/18 22:06, kAja Ziegler wrote:
> This is strange because I don't use any NAT iptables/netfilter rules on
> this server:
>
> [root at ...]# iptables -n -L -v -t nat
> Chain PREROUTING (policy ACCEPT 26964 packets, 1870K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 11013 packets, 817K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 11015 packets, 817K bytes)
> pkts bytes target prot opt in out source
> destination-
That lack of NAT rules would be why Squid cannot find any entries for
the traffic in the kernels NAT state table.
>
>
> Only one weird thing I found in my Squid configuration - I had defined
> only one http_port (http_port 3128 intercept) and this port was used to
> access proxy via explicit definitions in systems or applications -
> without any REDIRECT or marking in iptables/netfilter rules
There is the problem. That "intercept" mode/flag means NAT intercepted
traffic is the only type you are going to receive there.
Explicit / forward proxy is the "normal" traffic case for proxies. A
port to receive that traffic is configured without any special mode
flag. Just:
http_port 3128
Amos
More information about the squid-users
mailing list