Hello Amos, Thank you for your help. I didnt notice that I have dnsmasq but I stopped the service of dnsmasq and still the same error. I am using DNAT at Mikrotik .. Masquerading rule & still the same natting .. For example NAT ; add chain=dstnat src-address=0.0.0.0/0 protocol=tcp dst-port=80 action=dstnat to-addresses=192.168.10.4 to-ports=3128 This examples works with Squid 2.7 but right now I have changed rules and made a mark route rule though I really want to use NAT instead of gateway route. Stopping dnsmasq didnt help. Another question , If I buy this SSL Certificate http://www.digicert.com/welcome/ssl-plus.htm then I will get rid of certificate errors at Client IE and is there by any chance to stay using Fake CA which was generated from OPENSSL .pem and stay using it & ignore all errors ? Thank you Ghassan On Mon, Feb 18, 2013 at 5:08 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 18/02/2013 2:47 p.m., Ghassan Gharabli wrote: >> >> Hello, >> >> Ive been trying to solve this problem for the past three days but >> wasnt successfull. >> >> >> I want to setup an interception proxy with DNAT. >> >> SQUID ---> MIKROTIK Router ----> CLIENT PC >> >> Squid Configure Options: --enable-ssl --enable-ssl-crtd >> --enable-icap-client --with-filedescriptors=8192 >> --enable-ltdl-convenience >> >> >> >> MY Squid config : >> ----------------------- >> # >> # Recommended minimum configuration: >> # >> >> # Example rule allowing access from your local networks. >> # Adapt to list your (internal) IP networks from where browsing >> # should be allowed >> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >> acl localnet src fc00::/7 # RFC 4193 local private network range >> acl localnet src fe80::/10 # RFC 4291 link-local (directly >> plugged) machines >> >> acl SSL_ports port 443 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl CONNECT method CONNECT >> >> # >> # Recommended minimum Access Permission configuration: >> # >> # Only allow cachemgr access from localhost >> http_access allow localhost manager >> http_access deny manager >> >> # Deny requests to certain unsafe ports >> http_access deny !Safe_ports >> >> # Deny CONNECT to other than secure SSL ports >> http_access deny CONNECT !SSL_ports >> >> # We strongly recommend the following be uncommented to protect innocent >> # web applications running on the proxy server who think the only >> # one who can access services on "localhost" is a local user >> #http_access deny to_localhost >> http_access allow localnet >> http_access allow localhost >> http_access deny all >> >> >> http_port 0.0.0.0:8080 >> http_port 0.0.0.0:3128 intercept >> #http_port 192.168.10.4:3128 intercept ssl-bump >> generate-host-certificates=on dynamic_cert_mem_cache_size=10MB >> cert=/usr/local/squid/ssl_cert/myCA.pem >> #https_port 192.168.10.4:3129 intercept ssl-bump >> generate-host-certificates=on dynamic_cert_mem_cache_size=10MB >> cert=/usr/local/squid/ssl_cert/myCA.pem >> >> cache_dir ufs /usr/local/squid/var/cache/squid 10000 16 256 >> >> # Leave coredumps in the first cache dir >> coredump_dir /usr/local/squid/var/cache/squid >> >> # Add any of your own refresh_pattern entries above these. >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern . 0 20% 4320 >> >> always_direct allow all >> acl broken_sites dstdomain .example.com >> ssl_bump none localhost >> ssl_bump none broken_sites >> ssl_bump server-first >> >> sslproxy_cert_error allow all >> sslproxy_flags DONT_VERIFY_PEER >> sslproxy_cert_adapt setCommonName >> #sslproxy_cert_sign signTrusted >> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s >> /usr/local/squid/var/lib/ssl_db -M 10MB >> sslcrtd_children 5 >> >> >> forwarded_for transparent >> #visible_hostname cache2.skydsl.net >> #offline_mode on >> maximum_object_size 100000 KB >> >> ERROR I AM GETTING : >> ---------------------------------- >> The following error was encountered while trying to retrieve the URL: >> http://www.cnn.com/ >> Connection to 192.168.10.4 failed. >> The system returned: (111) Connection refused >> The remote host or network may be down. Please try the request again. >> ---------------------------------- >> >> I tried everything was mentioned at >> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat >> >> [root@cache2 ~] # iptables -t nat --list rules >> -P PREROUTING ACCEPT >> -P INPUT ACCEPT >> -P OUTPUT ACCEPT >> -P POSTROUTING ACCEPT >> -A PREROUTING -s 192.168.10.4/32 -p tcp -m tcp --dport 80 -j ACCEPT >> -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128 >> -A POSTROUTING -j MASQUERADE >> >> [root@cache2 ~] # iptables -t mangle --list-rules >> -P PREROUTING ACCEPT >> -P INPUT ACCEPT >> -P FORWARD ACCEPT >> -P OUTPUT ACCEPT >> -P POSTROUTING ACCEPT >> -A PREROUTING -s 192.168.10.4/32 -p tcp -m tcp --dport 80 -j ACCEPT >> >> >> What do you think the problem might be? > > > Those settings are correct for Squid and the Squid box iptables. So the > problem is being introduced elsewhere ... > > ... something along the route between client and Squid box is setting the > cnn.com destination IP address to 192.168.10.4. > > The Mikrotik doing DNAT? > Some DNS forgery sending teh client to that IP directly? (dnsmasq) > > > Amos
