Squid Interception Proxying Troubles

Erik Bixby erik.bixby at gmail.com
Thu Nov 2 14:30:56 MST 2006 

On 11/2/06, Patrick Fleming, EA <plug at rwcinc.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Erik,
> Checking my iptables rules I find that I have postrouting set as well.
> Chain POSTROUTING (policy ACCEPT)
> target  prot    opt     source          destination
> SNAT    all     --      anywhere        anywhere        to:10.0.0.2
>
> to: is set to the outside nic of the Squid/firewall machine.
> Also are you redirecting "outside" port 80 to 3128 on the squid machine
> and if so is squid accepting connections on 3128? I'm not entirely
> certain that 80 needs to be redirected on the squid machine if you
> already have a router doing that for you.
>

You'll have to excuse me, I am not a netfilter expert, so I don't know
exactly what your rule does.  It seems that your rule will alter all
outgoing packets to have the source address of the Squid box's IP
address.  I don't see how this will help in my current situation.  I
am guessing that your machine is doing IP masquerading, and that is
why you have that particular rule present.  Although, as I said I am
not an expert with netfilter.  However, I can tell you that Squid's
FAQ (http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-935dbe4ef8ea8e21c1e04cc7753a09095c0d8285)
mentions only two iptables entries:
iptables -t nat -A PREROUTING -i eth0 -d 192.168.0.0/255.255.255.0 ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

The first to accept packets coming from a particular class 'c'
network, and the other to redirect all traffic destined for port 80 to
3128.  I have not bothered with the first rule, as this particular
machine does not have any other netfilter rules in place, and all
tables are set to accept packets.

The main reason I believe port 80 needs to be redirected to 3128 is
because Squid's FAQ says as much.

As always, I thank you for considering my problem.  If anyone has any
experience with Squid and interception proxying and might have some
insight as to what I might be doing wrong, please let me know.
-Erik

More information about the PLUG-discuss mailing list