Discussion:
[squid-users] Mikrotik and Squid Transparent
Dalmar
2015-06-24 12:03:14 UTC
Permalink
Hi,
For over two weeks i am having a really headache in configuring squid
transparent/intercept.
I have tried different options and configurations but i couldn't get it to
work.
i think the problems lies in the Iptables / NAT but i really couldn't solve
it.
I have tried different iptable rules including the intercept linuxDnat -
sysctl configuration, but didnt work.

# your proxy IP
SQUIDIP=X.X.X.X

# your proxy listening port
SQUIDPORT=XXXX


iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
$SQUIDIP:$SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP


i have to say that squid works well when i configure in the client browsers.

at the mikrotik side, i am using DST-NAT chain port 80 pro TCP action
DST-NAT to address squidIP and Port

i am using ubuntu server 15.04 using squid 3.3.8 and this is my
configuration and the errors i get:


------ eth0 WAN <----- MAIN WAN Public IP Internet
MK---|
------ eth1 LAN
|
------ eth2 Proxy


------ eth0 WAN ---> Public IP --> Internet --> gets internet from
24online / another Mikrotik
Squid---|
------ eth1 Proxy
|
------ eth2 webmin --> For server Management


-error1: if no intercept/transparent and no iptables is configured
-Invalid URL - The requested url could not be retrieved
-but if proxy is configured in the user browser - it works!


-error2:if intercept and iptable DNAT is configured
-Access Denied and in the access log TCP-MISS/403
-no forward proxy port configured
-security alert : host header forgery detected on local=
SquidIP:8080 remote:mikrotikIP (local ip does not match any domain name)
-warning : forwarding loop detected (x-Forwarded-for mikrotik lan
IP)

squid.conf

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 8080
http_port 8181
cache_mem 2000 MB
cache_dir ufs /var/spool/squid3 100000 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
cache_effective_user proxy
cache_effective_group proxy

----------------------------------------
I am really confused, can anyone guide me please.
Thanks in advance
Yuri Voinov
2015-06-24 12:04:06 UTC
Permalink
Squid 3.5.x?
Post by Dalmar
Hi,
For over two weeks i am having a really headache in configuring squid
transparent/intercept.
I have tried different options and configurations but i couldn't get
it to work.
i think the problems lies in the Iptables / NAT but i really couldn't
solve it.
I have tried different iptable rules including the intercept linuxDnat
- sysctl configuration, but didnt work.
# your proxy IP
SQUIDIP=X.X.X.X
# your proxy listening port
SQUIDPORT=XXXX
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
--to-destination $SQUIDIP:$SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
i have to say that squid works well when i configure in the client browsers.
at the mikrotik side, i am using DST-NAT chain port 80 pro TCP action
DST-NAT to address squidIP and Port
i am using ubuntu server 15.04 using squid 3.3.8 and this is my
------ eth0 WAN <----- MAIN WAN Public IP Internet
MK---|
------ eth1 LAN
|
------ eth2 Proxy
------ eth0 WAN ---> Public IP --> Internet --> gets internet
from 24online / another Mikrotik
Squid---|
------ eth1 Proxy
|
------ eth2 webmin --> For server Management
-error1: if no intercept/transparent and no iptables is configured
-Invalid URL - The requested url could not be retrieved
-but if proxy is configured in the user browser - it works!
-error2:if intercept and iptable DNAT is configured
-Access Denied and in the access log TCP-MISS/403
-no forward proxy port configured
-security alert : host header forgery detected on local=
SquidIP:8080 remote:mikrotikIP (local ip does not match any domain name)
-warning : forwarding loop detected (x-Forwarded-for mikrotik
lan IP)
squid.conf
acl localnet src 10.0.0.0/8 <http://10.0.0.0/8># RFC1918 possible
internal network
acl localnet src 192.168.0.0/16 <http://192.168.0.0/16># RFC1918
possible internal network
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 8080
http_port 8181
cache_mem 2000 MB
cache_dir ufs /var/spool/squid3 100000 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern .020%4320
cache_effective_user proxy
cache_effective_group proxy
----------------------------------------
I am really confused, can anyone guide me please.
Thanks in advance
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Dalmar
2015-06-24 12:30:15 UTC
Permalink
squid 3.3.8 and ubuntu 15.04 server
Post by Yuri Voinov
Squid 3.5.x?
Hi,
For over two weeks i am having a really headache in configuring squid
transparent/intercept.
I have tried different options and configurations but i couldn't get it to
work.
i think the problems lies in the Iptables / NAT but i really couldn't
solve it.
I have tried different iptable rules including the intercept linuxDnat -
sysctl configuration, but didnt work.
# your proxy IP
SQUIDIP=X.X.X.X
# your proxy listening port
SQUIDPORT=XXXX
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
$SQUIDIP:$SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
i have to say that squid works well when i configure in the client browsers.
at the mikrotik side, i am using DST-NAT chain port 80 pro TCP action
DST-NAT to address squidIP and Port
i am using ubuntu server 15.04 using squid 3.3.8 and this is my
------ eth0 WAN <----- MAIN WAN Public IP Internet
MK---|
------ eth1 LAN
|
------ eth2 Proxy
------ eth0 WAN ---> Public IP --> Internet --> gets internet
from 24online / another Mikrotik
Squid---|
------ eth1 Proxy
|
------ eth2 webmin --> For server Management
-error1: if no intercept/transparent and no iptables is configured
-Invalid URL - The requested url could not be retrieved
-but if proxy is configured in the user browser - it works!
-error2:if intercept and iptable DNAT is configured
-Access Denied and in the access log TCP-MISS/403
-no forward proxy port configured
-security alert : host header forgery detected on local=
SquidIP:8080 remote:mikrotikIP (local ip does not match any domain name)
-warning : forwarding loop detected (x-Forwarded-for mikrotik lan
IP)
squid.conf
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 8080
http_port 8181
cache_mem 2000 MB
cache_dir ufs /var/spool/squid3 100000 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
cache_effective_user proxy
cache_effective_group proxy
----------------------------------------
I am really confused, can anyone guide me please.
Thanks in advance
_______________________________________________
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Alex Samad
2015-06-25 00:45:20 UTC
Permalink
Hi

why this, doesn't this block all traffic getting to the squid port.
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP


what I would do to test is run tcpdump on the squid box and capture
all traffic coming to it on the squid listening port, then go to a
test machine on the eth or wireless and do a telnet google.com 80 and
see what you get on the squid box.

make sure you src and dst addresses are right. then check the squid logs.

I presume you get get to the internet from the squid box ?
Post by Dalmar
squid 3.3.8 and ubuntu 15.04 server
Post by Yuri Voinov
Squid 3.5.x?
Hi,
For over two weeks i am having a really headache in configuring squid
transparent/intercept.
I have tried different options and configurations but i couldn't get it to
work.
i think the problems lies in the Iptables / NAT but i really couldn't
solve it.
I have tried different iptable rules including the intercept linuxDnat -
sysctl configuration, but didnt work.
# your proxy IP
SQUIDIP=X.X.X.X
# your proxy listening port
SQUIDPORT=XXXX
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
$SQUIDIP:$SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
i have to say that squid works well when i configure in the client browsers.
at the mikrotik side, i am using DST-NAT chain port 80 pro TCP action
DST-NAT to address squidIP and Port
i am using ubuntu server 15.04 using squid 3.3.8 and this is my
------ eth0 WAN <----- MAIN WAN Public IP Internet
MK---|
------ eth1 LAN
|
------ eth2 Proxy
------ eth0 WAN ---> Public IP --> Internet --> gets internet
from 24online / another Mikrotik
Squid---|
------ eth1 Proxy
|
------ eth2 webmin --> For server Management
-error1: if no intercept/transparent and no iptables is configured
-Invalid URL - The requested url could not be retrieved
-but if proxy is configured in the user browser - it works!
-error2:if intercept and iptable DNAT is configured
-Access Denied and in the access log TCP-MISS/403
-no forward proxy port configured
-security alert : host header forgery detected on local=
SquidIP:8080 remote:mikrotikIP (local ip does not match any domain name)
-warning : forwarding loop detected (x-Forwarded-for mikrotik lan
IP)
squid.conf
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 8080
http_port 8181
cache_mem 2000 MB
cache_dir ufs /var/spool/squid3 100000 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
cache_effective_user proxy
cache_effective_group proxy
----------------------------------------
I am really confused, can anyone guide me please.
Thanks in advance
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Amos Jeffries
2015-06-25 09:07:49 UTC
Permalink
Post by Alex Samad
Hi
why this, doesn't this block all traffic getting to the squid port.
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
All external traffic yes. The NAT interception happens afterward and works.

The point is that NAT intercept MUST only be done directly on the Squid
machine. A single external connection being accepted will result in a
forwarding loop DoS and the above protects against that.
Post by Alex Samad
what I would do to test is run tcpdump on the squid box and capture
all traffic coming to it on the squid listening port,
IIRC, you can't do that because tcpdump operates before NAT. It will not
show you the NAT'ed traffic arriving.

Running Squid with -X or "debug_options ALL,9" would be better. You can
see in cache.log what Squid is receiving and what the NAT de-mangling is
actually doing.

Amos
Alex Samad
2015-06-26 12:14:52 UTC
Permalink
aren't squid and nat box different ? that was my presumption..
Post by Amos Jeffries
Post by Alex Samad
Hi
why this, doesn't this block all traffic getting to the squid port.
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
All external traffic yes. The NAT interception happens afterward and works.
The point is that NAT intercept MUST only be done directly on the Squid
machine. A single external connection being accepted will result in a
forwarding loop DoS and the above protects against that.
Post by Alex Samad
what I would do to test is run tcpdump on the squid box and capture
all traffic coming to it on the squid listening port,
IIRC, you can't do that because tcpdump operates before NAT. It will not
show you the NAT'ed traffic arriving.
Running Squid with -X or "debug_options ALL,9" would be better. You can
see in cache.log what Squid is receiving and what the NAT de-mangling is
actually doing.
Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Amos Jeffries
2015-06-26 12:49:46 UTC
Permalink
Post by Alex Samad
aren't squid and nat box different ? that was my presumption..
Best not to.

The dst-IP:port on the TCP packets entering the Squid machine is where
Squid will send the outgoing server requests. If that dst-IP is the IP
of the Squid machine itself you get into big DoS-level trouble really fast.

Amos
Alex Samad
2015-06-26 22:02:44 UTC
Permalink
Hi

Sorry missing something here.

I thought this was a mikrotek rtr , presumably acting as a default
gateway for the local lan to the internet.
it has a DNAT rule to capture all internet traffic that is port 80
(and presumably at some point in time port 443) and it DNATS it to the
SQUID box.

and there needs to be a special rule on the DGW to allow squid access
out to the internet with out resending it back to the squid and
creating a loop.

from memory thats how I used to do this. unless the DGW is large
enough to run squid, then DNAT to the local box and onto squid.

Why would there be a DoS for SQUID on another box, the only resources
I can think of is the NAT table, maybe conntrack

Alex
Post by Amos Jeffries
Post by Alex Samad
aren't squid and nat box different ? that was my presumption..
Best not to.
The dst-IP:port on the TCP packets entering the Squid machine is where
Squid will send the outgoing server requests. If that dst-IP is the IP
of the Squid machine itself you get into big DoS-level trouble really fast.
Amos
Amos Jeffries
2015-06-27 06:33:03 UTC
Permalink
Post by Alex Samad
Hi
Sorry missing something here.
I thought this was a mikrotek rtr , presumably acting as a default
gateway for the local lan to the internet.
it has a DNAT rule to capture all internet traffic that is port 80
(and presumably at some point in time port 443) and it DNATS it to the
SQUID box.
and there needs to be a special rule on the DGW to allow squid access
out to the internet with out resending it back to the squid and
creating a loop.
from memory thats how I used to do this. unless the DGW is large
enough to run squid, then DNAT to the local box and onto squid.
Yes, a lot of people used to do it that way. The problem was
CVE-2009-0801 vulnerability allowed attackers script to send any request
to Squid claiming an arbitrary server Host: header and get that content
both delivered back as if it was to some other domain the client thought
it was connecting to and injected into Squid cache for other clients to
be affected by in the same way.

That is no longer permitted since Squid-3.2. The DNAT can only happen
once, and that must be on the Squid machine so Squid can lookup the NAT
tables and unmangle the original dst-IP.

You need to use routing rules on the Mikrotik (or tunnel sometimes works
too) to deliver the original client generated packet to the Squid
machine without NAT changing the dst-IP:port details (SNAT is fine, but
will cause lies about client IP in the access.log).
Post by Alex Samad
Why would there be a DoS for SQUID on another box, the only resources
I can think of is the NAT table, maybe conntrack
Like I said earlier "The dst-IP:port on the TCP packets entering the
Squid machine is where Squid will send the outgoing server requests."

If you block forwarding loops the outbound requests from Squid get an
error page *always* because the outboudn traffic is going from Squid to
be served by Squid (forwarding loop).

If you disable the Via header forwarding loop protection Squid will just
loop until all TCP port numbers on the machine are consumed sending new
"outbound" connections that loop back Squid. Then no network connections
will be available to Squid or any other software. The RAM associated
with each connection may also be too much and cause the OS to
force-shutdown Squid.

So you get to pick between a DoS or a very nasty DoS.

Amos
Alex Samad
2015-06-27 07:48:19 UTC
Permalink
Post by Amos Jeffries
Post by Alex Samad
Hi
Sorry missing something here.
I thought this was a mikrotek rtr , presumably acting as a default
gateway for the local lan to the internet.
it has a DNAT rule to capture all internet traffic that is port 80
(and presumably at some point in time port 443) and it DNATS it to the
SQUID box.
and there needs to be a special rule on the DGW to allow squid access
out to the internet with out resending it back to the squid and
creating a loop.
from memory thats how I used to do this. unless the DGW is large
enough to run squid, then DNAT to the local box and onto squid.
Yes, a lot of people used to do it that way. The problem was
CVE-2009-0801 vulnerability allowed attackers script to send any request
to Squid claiming an arbitrary server Host: header and get that content
both delivered back as if it was to some other domain the client thought
it was connecting to and injected into Squid cache for other clients to
be affected by in the same way.
That is no longer permitted since Squid-3.2. The DNAT can only happen
once, and that must be on the Squid machine so Squid can lookup the NAT
tables and unmangle the original dst-IP.
You need to use routing rules on the Mikrotik (or tunnel sometimes works
too) to deliver the original client generated packet to the Squid
machine without NAT changing the dst-IP:port details (SNAT is fine, but
will cause lies about client IP in the access.log).
Okay good to know.

Alex
Marcel
2015-06-28 11:39:01 UTC
Permalink
Hi Dalmar
one question how many interfaces do your squid box have ?
Post by Dalmar
To begin with, thank you Marcel,Alex and Amos for your help guys i am
really so close because of you. I have done exactly what Marcel told
me and now all transparent/intercept errors are gone. It worked nicely
when i used two mikrotiks one for WAN and the other for the LAN
connection, however, when i use one mikrotik it says TCP_MISS_ABORTED
and NONE_ABORTED. In this situation ,squid gets internet from the MK
LAN port using a public IP and i can ping the net, but squid throws
the above error in the access.log. The topo i wanna use is INTERNET
MK >> SQUID . .
i think the iptable rules will change.The Mikrotik have 3 NICS now ,
but i can add 1 more so it becomes eth0:WAN eth1:LAN eth2:PROXY-LAN
eth3:PROXY-WAN .
NB: it says Your message to squid-users awaits moderator approval ,
Message body is too big , so sorry for the delay.
Thanks in advance .
--
Fossua-vcard
Marcel Fossua
Unix/Linux Network Administrator
Tel: 0240 222299448
www.guineanet.net <http://www.guineanet.net>/ www.familyfossua.com
<http://www.familyfossua.com>
Dalmar
2015-06-28 10:37:01 UTC
Permalink
To begin with, thank you Marcel,Alex and Amos for your help guys i am
really so close because of you. I have done exactly what Marcel told me and
now all transparent/intercept errors are gone. It worked nicely when i used
two mikrotiks one for WAN and the other for the LAN connection, however,
when i use one mikrotik it says TCP_MISS_ABORTED and NONE_ABORTED. In this
situation ,squid gets internet from the MK LAN port using a public IP and i
can ping the net, but squid throws the above error in the access.log. The
topo i wanna use is INTERNET >>MK >> SQUID .
i think the iptable rules will change.The Mikrotik have 3 NICS now , but i
can add 1 more so it becomes eth0:WAN eth1:LAN eth2:PROXY-LAN
eth3:PROXY-WAN .

NB: it says Your message to squid-users awaits moderator approval , Message
body is too big ,for all my replays! so sorry for the delay.

Thanks in advance .
Amos Jeffries
2015-06-28 11:11:13 UTC
Permalink
Post by Dalmar
To begin with, thank you Marcel,Alex and Amos for your help guys i am
really so close because of you. I have done exactly what Marcel told me and
now all transparent/intercept errors are gone. It worked nicely when i used
two mikrotiks one for WAN and the other for the LAN connection, however,
when i use one mikrotik it says TCP_MISS_ABORTED and NONE_ABORTED. In this
situation ,squid gets internet from the MK LAN port using a public IP and i
can ping the net, but squid throws the above error in the access.log. The
topo i wanna use is INTERNET >>MK >> SQUID .
i think the iptable rules will change.The Mikrotik have 3 NICS now , but i
can add 1 more so it becomes eth0:WAN eth1:LAN eth2:PROXY-LAN
eth3:PROXY-WAN .
You should not need extra NICs for this. The Mikrotik rules just need to
distinguish the flows clearly.

a) LAN->WAN dst port TCP/80 use gateway eth2
b) *->WAN use gateway eth0
c) *->Squid use gateway eth2
d) *->LAN use gateway eth1
Post by Dalmar
NB: it says Your message to squid-users awaits moderator approval , Message
body is too big ,for all my replays! so sorry for the delay.
NP: We have a 40KB size limit on posts to these lists. Moderation for
others and the moderators procrastinate.

Amos
Alex Samad
2015-06-28 23:28:38 UTC
Permalink
Hi

Thought I would re word what i got from this, see if I understood.

If squid and router (default gateway) are on the same box
then
DNAT to the SQUID listening port and local ip (Can you use localhost
suppose it doesn't matter)
else
router the packet to the SQUID box (if possible)
DNAT on the SQUID box to the local listening port and ip


Squid is able to look in the NAT table ? to confirm what the
destination would be not what the DNAT'ed ip would be.


Does that sum it up ?


Alex
Post by Amos Jeffries
Post by Dalmar
To begin with, thank you Marcel,Alex and Amos for your help guys i am
really so close because of you. I have done exactly what Marcel told me and
now all transparent/intercept errors are gone. It worked nicely when i used
two mikrotiks one for WAN and the other for the LAN connection, however,
when i use one mikrotik it says TCP_MISS_ABORTED and NONE_ABORTED. In this
situation ,squid gets internet from the MK LAN port using a public IP and i
can ping the net, but squid throws the above error in the access.log. The
topo i wanna use is INTERNET >>MK >> SQUID .
i think the iptable rules will change.The Mikrotik have 3 NICS now , but i
can add 1 more so it becomes eth0:WAN eth1:LAN eth2:PROXY-LAN
eth3:PROXY-WAN .
You should not need extra NICs for this. The Mikrotik rules just need to
distinguish the flows clearly.
a) LAN->WAN dst port TCP/80 use gateway eth2
b) *->WAN use gateway eth0
c) *->Squid use gateway eth2
d) *->LAN use gateway eth1
Post by Dalmar
NB: it says Your message to squid-users awaits moderator approval , Message
body is too big ,for all my replays! so sorry for the delay.
NP: We have a 40KB size limit on posts to these lists. Moderation for
others and the moderators procrastinate.
Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Amos Jeffries
2015-06-29 03:57:13 UTC
Permalink
Post by Alex Samad
Hi
Thought I would re word what i got from this, see if I understood.
If squid and router (default gateway) are on the same box
then
DNAT to the SQUID listening port and local ip (Can you use localhost
suppose it doesn't matter)
localhost does matter. Most systems have hardware level protection
preventing localhost IP or lo interface being used for non-local packets.
Post by Alex Samad
else
router the packet to the SQUID box (if possible)
DNAT on the SQUID box to the local listening port and ip
Squid is able to look in the NAT table ? to confirm what the
destination would be not what the DNAT'ed ip would be.
Yes.
Post by Alex Samad
Does that sum it up ?
And yes.

Amos
Loading...