I'm trying to get a transparent proxy working, but having no luck at all. I have included my squid.conf below for scrutiny (it's mostly uncommented so it's not huge). my network is as such: linux-ws = 192.168.3.69 squid = 192.168.2.2 linux-ws----linux-router1---linux-router2----INTERNET | | squid linux-router1 does my DNAT via: iptables -t nat -A PREROUTING -i eth1 -s 192.168.3.64/27 -p tcp --dport 80 -j DNAT --to 192.168.2.2 when i telnet www.somedomain.com 80 i get the following error: bash-3.00$ telnet www.hotbot.com 80 Trying 209.202.248.100... telnet: connect to address 209.202.248.100: Connection refused telnet: Unable to connect to remote host: Connection refused tcpdump shows on linux-router1 one syn and one rst.. 21:58:30.361794 192.168.3.69.52508 > 192.168.2.2.http: S [tcp sum ok] 2034534829:2034534829(0) win 5840 <mss 1460,sackOK,timestamp 906118859 0,nop,wscale 2> (DF) [tos 0x10] (ttl 64, id 53094, len 60) 21:58:30.362298 mia-hotbot.lycos.com.http > 192.168.3.69.52508: R [tcp sum ok] 0:0(0) ack 2034534830 win 0 (DF) [tos 0x10] (ttl 62, id 5358, len 40) on linux-router2 on interface eth0 (coming from my network): 21:44:30.866510 aaron-workstation.example.com.52511 > 192.168.2.2.http: S [tcp sum ok] 2172620125:2172620125(0) win 5840 <mss 1460,sackOK,timestamp 906262119 0,nop,wscale 2> (DF) [tos 0x10] (ttl 63, id 64314, len 60) 21:44:30.866766 192.168.2.2.http > aaron-workstation.example.com.52511: R [tcp sum ok] 0:0(0) ack 2172620126 win 0 (DF) [tos 0x10] (ttl 63, id 5361, len 40) on the squid machine i see: 21:58:15.984464 IP (tos 0x10, ttl 62, id 19790, offset 0, flags [DF], proto 6, length: 60) 192.168.3.69.52509 > 192.168.2.2.http: S [tcp sum ok] 2075217715:2075217715(0) win 5840 <mss 1460,sackOK,timestamp 906166909 0,nop,wscale 2> 21:58:16.072100 IP (tos 0x10, ttl 64, id 5359, offset 0, flags [DF], proto 6, length: 40) 192.168.2.2.http > 192.168.3.69.52509: R [tcp sum ok] 0:0(0) ack 2075217716 win 0 and on linux-router2 dsl interface I don't see any packets at all. My setup works fine when i have it set up as a normal proxy and configure the setting in firefox on my workstation. squid.conf: #http_port 3128 #ssl_unclean_shutdown maximum_object_size 32768 KB memory_replacement_policy heap LFUDA #cache_dir aufs /var/spool/squid 6500 32 256 cache_dir ufs /var/spool/squid 6500 32 256 # log_ip_on_direct on # log_mime_hdrs off # useragent_log # referer_log # ftp_user Squid@ # ftp_passive on # ftp_sanitycheck on # redirect_program # redirect_children 5 # redirector_access # auth_parm # ACL CONTROLS acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl CONNECT method CONNECT acl 64net src 192.168.3.64/27 acl 96net src 192.168.3.96/27 acl 128net src 192.168.3.128/27 acl 160net src 192.168.3.160/27 acl 192net src 192.168.3.192/27 #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user http_access deny to_localhost http_access allow 64net http_access allow 96net http_access allow localhost http_access deny all http_reply_access allow all # cache_mgr root # cache_effective_user squid # cache_effective_group squid # HTTPD-ACCELERATOR OPTIONS httpd_accel_host virtual # httpd_accel_host httpd_accel_port 80 # httpd_accel_port 3128 httpd_accel_single_host off # httpd_accel_with_proxy off httpd_accel_with_proxy on # httpd_accel_uses_host_header off httpd_accel_uses_host_header on # MISCELLANEOUS logfile_rotate 30 # append_domain .yourdomain.com # err_html_text # memory_pools on # forwarded_for on # TAG: cachemgr_passwd # Specify passwords for cachemgr operations. # # Usage: cachemgr_passwd password action action ... # # Some valid actions are (see cache manager menu for a full list): #Example: # cachemgr_passwd secret shutdown # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all # #Default: # none # client_db on # always_direct # never_direct #chroot # client_persistent_connections on # server_persistent_connections on # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. # #Default: # high_response_time_warning 0 # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this # value, Squid prints a WARNING with debug level 0 to get # the administrators attention. The value is in page faults # per second. # #Default: # high_page_fault_warning 0 # TAG: high_memory_warning # If the memory usage (as determined by mallinfo) exceeds # value, Squid prints a WARNING with debug level 0 to get # the administrators attention. # #Default: # high_memory_warning 0 # ie_refresh off Thanks in advance, Aaron Martinez
