Hi Amos, Thanks for the reply. My Squid is 3.1.19. I am trying to use OpenFlow to automate the deployment of Squid in my organization. When the OpenFlow controller sees a new HTTP packet, it modifies it's destination IP and port to that of Squid and sends it back. Thus, I expected I will not need iptable rules here. I am a bit confused about how Squid does DNAT. Can you point me to some document? Thanks On Wed, Jul 25, 2012 at 8:11 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 26.07.2012 13:54, Abhishek Chanda wrote: >> >> Hi all, >> >> I observed two more things: >> 1. I ran wireshark on the Squid box and observed that the client is >> looking for a service called ndl-aas on port 3128. But no such service >> is running on the system. > > > Normal if your /etc/services is listing the IANA registrations instead of > the SANS registrations. > > You can change the port 3128 entry in that file to "http-proxy" to make it > show Squid clearer. > > >> 2. netstat shows that Squid listens on IPV6 addresses (shows tcp6 for >> port 3128). >> >> Are these normal and expected? > > > Normal for IPv6-enabled Squid. > > >> >> Thanks >> >> >> On Wed, Jul 25, 2012 at 5:26 PM, Abhishek Chanda wrote: >>> >>> Hi all, >>> >>> >>> I am trying to setup a topology like the one shown below where Squid >>> will be a transparent proxy. I have a restriction so that I cannot use >>> iptables to redirect traffic to Squid. So, there is a daemon in Box >>> that captures http traffic from Client and re-writes its Destination >>> IP to point to Squid and destination port to 3128. All boxes can >>> access each other. The problem is, I ran tcpdump on all boxes and I do >>> see traffic arriving at Squid, but Squid does not register a MISS or >>> HIT. The actual data still comes from Apache. Do I need to re-write >>> any HTTP header or some other configuration for this? >>> >>> Client ------- Box ------- Squid --------- Apache >>> >>> Thanks > > > Squid version? > > Squid requires some way to determine that the mapping has taken place, and > to identify what the original details were. > The standard NAT functionality on your box usually provides this for DNAT > via socket options. > > Question is why you can't use the built-in software? > > Amos >
